github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-22 16:02:46 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

DEV: Allow CSP nonce_placeholder to be generated outside Rails (#26052)

Browse Source 
Sometimes we add scripts outside of Rails. This commit provides a way to generate a nonce placeholder even if you don't have access to an ApplicationController instance.
This commit is contained in:
David Taylor 2024-03-06 13:01:32 +00:00 committed by GitHub
parent 30a3e21463
commit d1a2596889
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/helpers/application_helper.rb
View File

@ -66,9 +66,7 @@ module ApplicationHelper
end
def csp_nonce_placeholder
response.headers[
::Middleware::CspScriptNonceInjector::PLACEHOLDER_HEADER
] ||= "[[csp_nonce_placeholder_#{SecureRandom.hex}]]"
ContentSecurityPolicy.nonce_placeholder(response.headers)
end
def shared_session_key

6
lib/content_security_policy.rb
View File

@ -7,6 +7,12 @@ class ContentSecurityPolicy
def policy(theme_id = nil, base_url: Discourse.base_url, path_info: "/")
new.build(theme_id, base_url: base_url, path_info: path_info)
end
def nonce_placeholder(response_headers)
response_headers[
::Middleware::CspScriptNonceInjector::PLACEHOLDER_HEADER
] ||= "[[csp_nonce_placeholder_#{SecureRandom.hex}]]"
end
end
def build(theme_id, base_url:, path_info: "/")