computer_smile

Rails 5.2.1 comes with Content Security Policy DSL by default. Here we can specificy what is allowed to run. If we have something like

Rails.application.config.content_security_policy do |policy|
  policy.default_src :self, :https
  policy.connect_src :self
  #...
  policy.script_src  :self
end

# If you are using UJS then enable automatic nonce generation
Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }

in our CSP file I think this would disallow everything in create.js.erb ? We could add unsafe_eval to the policy but I believe this negates the whole purpose.

What can we add to allow the create.js.erb to be allowed by the Content Security Policy? I tried adding the <%= csp_meta_tag %> as recommeded here https://edgeguides.rubyonrails.org/security.html#content-security-policy and mentioned here https://github.com/rails/rails/pull/32018. Am I understanding the architecture correctly?

Hello, I'm researching best practices on implementing a Content Security Policy for my 5.2 rails app. I have a few remote: true forms that respond with *.js.erb. It's my understanding that these will be treated as inline scripts and disallowed unless I have a unsafe-inline tag in my policy ( which I want to avoid).

Wondering if anyone has experience converting remote: true forms that respond with a .js.erb file to something that is following best practices for a Content Security Policy. Or, if you can point me to some links where I can further my research.

Thanks!