From b1f2c397073adfae79e4ea85daacdb6a75489210 Mon Sep 17 00:00:00 2001 From: sneakers-the-rat Date: Thu, 30 Nov 2023 22:03:06 -0800 Subject: [PATCH] Add nonce to script-src content security policy and to the mathjax configuration script tag --- app/views/layouts/application.html.haml | 20 ++++++++++--------- .../initializers/content_security_policy.rb | 2 +- spec/requests/content_security_policy_spec.rb | 2 +- 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/app/views/layouts/application.html.haml b/app/views/layouts/application.html.haml index 3b5ab297666056..a836ac406fe0a3 100755 --- a/app/views/layouts/application.html.haml +++ b/app/views/layouts/application.html.haml @@ -35,17 +35,19 @@ = csrf_meta_tags unless skip_csrf_meta_tags? %meta{ name: 'style-nonce', content: request.content_security_policy_nonce } - :javascript - var nonce = document.querySelector('meta[name="style-nonce"]').getAttribute('content'); - window.MathJax = { - chtml: {nonce: nonce}, - tex: { - processEnvironments: false, - processRefs: false, - inlineMath: [['\\(', '\\)']], - displayMath: [['\\[', '\\]']] + %script{ nonce: request.content_security_policy_nonce } + :plain + var nonce = document.querySelector('meta[name="style-nonce"]').getAttribute('content'); + window.MathJax = { + chtml: {nonce: nonce}, + tex: { + processEnvironments: false, + processRefs: false, + inlineMath: [['\\(', '\\)']], + displayMath: [['\\[', '\\]']] } }; + %script{ src: '/MathJax/es5/tex-chtml.js' } = stylesheet_link_tag '/inert.css', skip_pipeline: true, media: 'all', id: 'inert-style' diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 9b83fd342c631f..8214844746166b 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -86,7 +86,7 @@ def sso_host Rails.application.config.content_security_policy_nonce_generator = ->request { SecureRandom.base64(16) } -Rails.application.config.content_security_policy_nonce_directives = %w(style-src) +Rails.application.config.content_security_policy_nonce_directives = %w(style-src script-src) Rails.application.reloader.to_prepare do PgHero::HomeController.content_security_policy do |p| diff --git a/spec/requests/content_security_policy_spec.rb b/spec/requests/content_security_policy_spec.rb index d327ac1b45d0c3..350442da7df602 100644 --- a/spec/requests/content_security_policy_spec.rb +++ b/spec/requests/content_security_policy_spec.rb @@ -21,7 +21,7 @@ "child-src 'self' blob: https://cb6e6126.ngrok.io", "worker-src 'self' blob: https://cb6e6126.ngrok.io", "connect-src 'self' blob: data: ws://localhost:4000 https://cb6e6126.ngrok.io", - "script-src 'self' https://cb6e6126.ngrok.io 'wasm-unsafe-eval'" + "script-src 'self' https://cb6e6126.ngrok.io 'wasm-unsafe-eval' 'nonce-ZbA+JmE7+bK8F5qvADZHuQ=='" ) end end