
computer_smile
Joined
Activity
Rails 5.2.1 comes with Content Security Policy DSL by default. Here we can specificy what is allowed to run. If we have something like
Rails.application.config.content_security_policy do |policy|
policy.default_src :self, :https
policy.connect_src :self
#...
policy.script_src :self
end
# If you are using UJS then enable automatic nonce generation
Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
in our CSP file I think this would disallow everything in create.js.erb
? We could add unsafe_eval
to the policy but I believe this negates the whole purpose.
What can we add to allow the create.js.erb
to be allowed by the Content Security Policy? I tried adding the <%= csp_meta_tag %>
as recommeded here https://edgeguides.rubyonrails.org/security.html#content-security-policy and mentioned here https://github.com/rails/rails/pull/32018. Am I understanding the architecture correctly?
Hello, I'm researching best practices on implementing a Content Security Policy for my 5.2 rails app. I have a few remote: true
forms that respond with *.js.erb.
It's my understanding that these will be treated as inline scripts and disallowed unless I have a unsafe-inline
tag in my policy ( which I want to avoid).
Wondering if anyone has experience converting remote: true
forms that respond with a .js.erb
file to something that is following best practices for a Content Security Policy. Or, if you can point me to some links where I can further my research.
Thanks!