Skip to content

content_security_policy_nonce calls Rails method so CSP does not contain nonce #511

New issue
New issue
Open
Open
content_security_policy_nonce calls Rails method so CSP does not contain nonce#511
@jdudley1123

Description

@jdudley1123
jdudley1123
opened on Sep 20, 2023

Expected outcome

I am using GoodJob to process jobs on Rails 6. The GoodJob dashboard includes a number of scripts and styles. These all have nonces set using the content_security_policy_nonce method.

 <%= tag.script "", src: frontend_static_path(:bootstrap, format: :js, v: GoodJob::VERSION, locale: nil), nonce: content_security_policy_nonce %>

(link to code)

I would expect Secure Headers to set the nonce in the CSP header so that these scripts are permitted.

Actual outcome

No nonce is set in the CSP header. I think that Rails' own content_security_policy_nonce method is being called rather than the Secure Headers method of the same name. This means that the CSP set by Secure Headers doesn't include the nonce, and the scripts and styles are therefore not permitted.

I know that recommend practice when using Secure Headers is to use the nonced_javascript_tag method, but since this is in a gem I can't do that.

Possible related issues:

Config

SecureHeaders::Configuration.default do |config|
  config.hsts = "max-age=#{1.year.to_i}; includeSubDomains; preload"
  config.x_frame_options = 'DENY'
  config.x_content_type_options = 'nosniff'
  config.x_xss_protection = '1; mode=block'
  config.x_download_options = 'noopen'
  config.x_permitted_cross_domain_policies = 'none'
  config.referrer_policy = %w[origin-when-cross-origin
                              strict-origin-when-cross-origin]
  config.csp = {
    default_src: %w['none'],
    script_src: %w['self' http://www.google-analytics.com],
    connect_src: %w['self'],
    frame_ancestors: %w['none'],
    font_src: %w['self' data: https://fonts.gstatic.com],
    img_src: %w['self' data: https://validator.swagger.io],
    style_src: %w['self' https://fonts.googleapis.com],
  }
end

Generated headers

default-src 'none'; connect-src 'self'; font-src 'self' data: fonts.gstatic.com; frame-ancestors 'none'; img-src 'self' data: validator.swagger.io; script-src 'self' www.google-analytics.com; style-src 'self' fonts.googleapis.com

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions