computer_smile

Great tutorial. Took some time to figure out deploy keys in github but here are the steps that worked for me. cap production deploy kept failing because a permission denied error from github. Here's what I did

Mostly posting for future me 😁

1. go through the ssh key gen process for the deploy user (https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key)

2. Add your key to the ssh agent on deploy https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#adding-your-ssh-key-to-the-ssh-agent

3. Add public key as a deploy key to the repository in github (https://docs.github.com/en/developers/overview/managing-deploy-keys#deploy-keys)

4. Confirm this is working by ssh git@github.com from your deploy user.

5. Try running cap production deploy from local machine

Some things to note:

• This was on an ubuntu machine running nginx.
• make sure the /home/deploy/.ssh directory is owned by the deploy user and not root. (this drove me nuts until I realized)
• My deploy.rb has a repo_url like this set :repo_url, "git@github.com:YOUR_USER_NAME/REPOSITORY_NAME.git"

I can clean this up and get more detailed with commands if you're running into issues. Hope this helps!

Rails 5.2.1 comes with Content Security Policy DSL by default. Here we can specificy what is allowed to run. If we have something like

Rails.application.config.content_security_policy do |policy|
  policy.default_src :self, :https
  policy.connect_src :self
  #...
  policy.script_src  :self
end

# If you are using UJS then enable automatic nonce generation
Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }

in our CSP file I think this would disallow everything in create.js.erb ? We could add unsafe_eval to the policy but I believe this negates the whole purpose.

What can we add to allow the create.js.erb to be allowed by the Content Security Policy? I tried adding the <%= csp_meta_tag %> as recommeded here https://edgeguides.rubyonrails.org/security.html#content-security-policy and mentioned here https://github.com/rails/rails/pull/32018. Am I understanding the architecture correctly?

Hello, I'm researching best practices on implementing a Content Security Policy for my 5.2 rails app. I have a few remote: true forms that respond with *.js.erb. It's my understanding that these will be treated as inline scripts and disallowed unless I have a unsafe-inline tag in my policy ( which I want to avoid).

Wondering if anyone has experience converting remote: true forms that respond with a .js.erb file to something that is following best practices for a Content Security Policy. Or, if you can point me to some links where I can further my research.

Thanks!