discourse/lib/middleware/gtm_script_nonce_injector.rb
Blake Erickson 06ab681498
SECURITY: Don't reuse CSP nonce between requests (#22553)
Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
2023-07-11 15:23:04 -06:00

27 lines
763 B
Ruby

# frozen_string_literal: true
module Middleware
class GtmScriptNonceInjector
def initialize(app, settings = {})
@app = app
end
def call(env)
status, headers, response = @app.call(env)
if nonce_placeholder = headers.delete("Discourse-GTM-Nonce-Placeholder")
nonce = SecureRandom.hex
parts = []
response.each { |part| parts << part.to_s.sub(nonce_placeholder, nonce) }
%w[Content-Security-Policy Content-Security-Policy-Report-Only].each do |name|
next if headers[name].blank?
headers[name] = headers[name].sub("script-src ", "script-src 'nonce-#{nonce}' ")
end
[status, headers, parts]
else
[status, headers, response]
end
end
end
end