mirror of
https://github.com/discourse/discourse.git
synced 2024-11-23 01:16:22 +08:00
d1a2596889
Sometimes we add scripts outside of Rails. This commit provides a way to generate a nonce placeholder even if you don't have access to an ApplicationController instance.
31 lines
942 B
Ruby
31 lines
942 B
Ruby
# frozen_string_literal: true
|
|
require "content_security_policy/builder"
|
|
require "content_security_policy/extension"
|
|
|
|
class ContentSecurityPolicy
|
|
class << self
|
|
def policy(theme_id = nil, base_url: Discourse.base_url, path_info: "/")
|
|
new.build(theme_id, base_url: base_url, path_info: path_info)
|
|
end
|
|
|
|
def nonce_placeholder(response_headers)
|
|
response_headers[
|
|
::Middleware::CspScriptNonceInjector::PLACEHOLDER_HEADER
|
|
] ||= "[[csp_nonce_placeholder_#{SecureRandom.hex}]]"
|
|
end
|
|
end
|
|
|
|
def build(theme_id, base_url:, path_info: "/")
|
|
builder = Builder.new(base_url: base_url)
|
|
|
|
Extension.theme_extensions(theme_id).each { |extension| builder << extension }
|
|
Extension.plugin_extensions.each { |extension| builder << extension }
|
|
builder << Extension.site_setting_extension
|
|
builder << Extension.path_specific_extension(path_info)
|
|
|
|
builder.build
|
|
end
|
|
end
|
|
|
|
CSP = ContentSecurityPolicy
|