computer_smile

Joined

270 Experience
2 Lessons Completed
0 Questions Solved

Activity

Posted in Nested Comment Threads in Rails - Part 3 Discussion

Rails 5.2.1 comes with Content Security Policy DSL by default. Here we can specificy what is allowed to run. If we have something like

Rails.application.config.content_security_policy do |policy|
  policy.default_src :self, :https
  policy.connect_src :self
  #...
  policy.script_src  :self
end

# If you are using UJS then enable automatic nonce generation
Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }

in our CSP file I think this would disallow everything in create.js.erb ? We could add unsafe_eval to the policy but I believe this negates the whole purpose.

What can we add to allow the create.js.erb to be allowed by the Content Security Policy? I tried adding the <%= csp_meta_tag %> as recommeded here https://edgeguides.rubyonrails.org/security.html#content-security-policy and mentioned here https://github.com/rails/rails/pull/32018. Am I understanding the architecture correctly?

Posted in create.js.erb with Content Security Policy

Hello, I'm researching best practices on implementing a Content Security Policy for my 5.2 rails app. I have a few remote: true forms that respond with *.js.erb. It's my understanding that these will be treated as inline scripts and disallowed unless I have a unsafe-inline tag in my policy ( which I want to avoid).

Wondering if anyone has experience converting remote: true forms that respond with a .js.erb file to something that is following best practices for a Content Security Policy. Or, if you can point me to some links where I can further my research.

Thanks!

Posted in Stimulus JS Twitter UI: Part 2 Discussion

Is there any reason we can't put the data action as a button click on the submit button instead of the ajax:beforeSend on the actual form? I can't seem to get the latter to correctly register. 
logo Created with Sketch.

Ruby on Rails tutorials, guides, and screencasts for web developers learning Ruby, Rails, Javascript, Turbolinks, Stimulus.js, Vue.js, and more. Icons by Icons8

© 2020 GoRails, LLC. All rights reserved.