Skip to content

content_security_policy_nonce calls Rails method so CSP does not contain nonce #511

New issue
New issue
Open
#571
Open
content_security_policy_nonce calls Rails method so CSP does not contain nonce#511
#571
Assignees
fletchto99copilot-swe-agent
@jdudley1123

Description

@jdudley1123
jdudley1123
opened on Sep 20, 2023

Expected outcome

I am using GoodJob to process jobs on Rails 6. The GoodJob dashboard includes a number of scripts and styles. These all have nonces set using the content_security_policy_nonce method.

 <%= tag.script "", src: frontend_static_path(:bootstrap, format: :js, v: GoodJob::VERSION, locale: nil), nonce: content_security_policy_nonce %>

(link to code)

I would expect Secure Headers to set the nonce in the CSP header so that these scripts are permitted.

Actual outcome

No nonce is set in the CSP header. I think that Rails' own content_security_policy_nonce method is being called rather than the Secure Headers method of the same name. This means that the CSP set by Secure Headers doesn't include the nonce, and the scripts and styles are therefore not permitted.

I know that recommend practice when using Secure Headers is to use the nonced_javascript_tag method, but since this is in a gem I can't do that.

Possible related issues:

Config

SecureHeaders::Configuration.default do |config|
  config.hsts = "max-age=#{1.year.to_i}; includeSubDomains; preload"
  config.x_frame_options = 'DENY'
  config.x_content_type_options = 'nosniff'
  config.x_xss_protection = '1; mode=block'
  config.x_download_options = 'noopen'
  config.x_permitted_cross_domain_policies = 'none'
  config.referrer_policy = %w[origin-when-cross-origin
                              strict-origin-when-cross-origin]
  config.csp = {
    default_src: %w['none'],
    script_src: %w['self' http://www.google-analytics.com],
    connect_src: %w['self'],
    frame_ancestors: %w['none'],
    font_src: %w['self' data: https://fonts.gstatic.com],
    img_src: %w['self' data: https://validator.swagger.io],
    style_src: %w['self' https://fonts.googleapis.com],
  }
end

Generated headers

default-src 'none'; connect-src 'self'; font-src 'self' data: fonts.gstatic.com; frame-ancestors 'none'; img-src 'self' data: validator.swagger.io; script-src 'self' www.google-analytics.com; style-src 'self' fonts.googleapis.com

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions