github-migration
/
rack-livereload
1
0
Fork 0
Code Issues 11 Pull Requests 4 Packages Projects Releases Wiki Activity

Violates CSP unsafe-inline rule #71

New Issue
Open
opened 2016-03-03 23:22:53 +00:00 by chrisnicola · 4 comments
chrisnicola commented 2016-03-03 23:22:53 +00:00 (Migrated from github.com)
Copy Link

While I get that this isn't a huge deal in development, I'd prefer if the CSP rules in development mode mostly matched the ones I'd like to use in production so that developers know if they are violating CSP rules.

This script is the main problem, assuming SWF is off.

<script type="text/javascript">
  RACK_LIVERELOAD_PORT = 35729;
</script>

I'm trying to think of ways this could be done without an inline script. Possibly a data attribute?

While I get that this isn't a huge deal in development, I'd prefer if the CSP rules in development mode mostly matched the ones I'd like to use in production so that developers know if they are violating CSP rules. This script is the main problem, assuming SWF is off. ``` <script type="text/javascript"> RACK_LIVERELOAD_PORT = 35729; </script> ``` I'm trying to think of ways this could be done without an inline script. Possibly a data attribute?
👍 1
ryenski commented 2017-11-28 15:57:30 +00:00 (Migrated from github.com)
Copy Link

This is going to be an issue with Rails 5.2, which includes CSP policy by default. See https://github.com/rails/rails/pull/31162#issuecomment-347463658

This is going to be an issue with Rails 5.2, which includes CSP policy by default. See https://github.com/rails/rails/pull/31162#issuecomment-347463658
pixeltrix commented 2017-11-28 16:08:36 +00:00 (Migrated from github.com)
Copy Link

One suggestion is to use nonce values for the script tags and dynamically modify the CSP header in the middleware

One suggestion is to use nonce values for the script tags and dynamically modify the CSP header in the middleware
👍 1
coolsoftwaretyler commented 2020-01-08 21:56:54 +00:00 (Migrated from github.com)
Copy Link

I've got a project that uses a restrictive CSP in development, and it'd be great to have a solution other than conditionally allowing this through the CSP in the dev environment.

Anyone working on this? Is it worth it for me to dig in, myself?

I've got a project that uses a restrictive CSP in development, and it'd be great to have a solution other than conditionally allowing this through the CSP in the dev environment. Anyone working on this? Is it worth it for me to dig in, myself?
denzelem commented 2020-08-17 14:00:14 +00:00 (Migrated from github.com)
Copy Link

With the Webpack integration in Rails this issue becomes less important, as many people using the live reload mechanism of the webpack dev server. So guard-livereload + rack-livereload is only required, if you want to live reload e.g. the text in views.

Still here is an unfinished code example, that might be used to prepare a PR to https://github.com/jaredmdobson/rack-livereload
(this repo here is deprecated). Unfortunately jaredmdobson/rack-livereload does not allow issues, to ask if a PR is welcome.

lib/ext/rack_livereload/body_processor.rb

if Rails.env.development?

  module BodyProcessorExtension
    def process!(env)
      @content_security_policy_nonce = if ActionDispatch::Request.new(env).respond_to?(:content_security_policy_nonce)
        ActionDispatch::Request.new(env).content_security_policy_nonce
      end

      super
    end

    def template
      template_path = Rails.root.join('lib', 'ext', 'rack_livereload', 'skel', 'livereload.html.erb')

      ERB.new(::File.read(template_path))
    end
  end

  Rack::LiveReload::BodyProcessor.prepend(BodyProcessorExtension)

end

lib/ext/rack_livereload/skel/livereload.html.erb

<% if with_swf? %>
  <script type="text/javascript" nonce="<%= @content_security_policy_nonce %>">
      WEB_SOCKET_SWF_LOCATION = "/__rack/WebSocketMain.swf";
      <% if force_swf? %>
      WEB_SOCKET_FORCE_FLASH = true;
      <% end %>
  </script>
  <script type="text/javascript" src="<%= app_root %>/__rack/swfobject.js"></script>
  <script type="text/javascript" src="<%= app_root %>/__rack/web_socket.js"></script>
<% end %>
<script type="text/javascript" nonce="<%= @content_security_policy_nonce %>">
    RACK_LIVERELOAD_PORT = <%= @options[:live_reload_port] %>;
</script>
<script type="text/javascript" src="<%= livereload_source %>"></script>

This requires you to apply the following settings to the application:

Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }
Rails.application.config.content_security_policy_nonce_directives = %w(script-src)

Dir.glob(Rails.root.join('lib/ext/**/*.rb')).each do |filename|
  require filename
end
With the Webpack integration in Rails this issue becomes less important, as many people using the live reload mechanism of the webpack dev server. So `guard-livereload` + `rack-livereload` is only required, if you want to live reload e.g. the text in views. Still here is an unfinished code example, that might be used to prepare a PR to https://github.com/jaredmdobson/rack-livereload (this repo here is deprecated). Unfortunately `jaredmdobson/rack-livereload` does not allow issues, to ask if a PR is welcome. **lib/ext/rack_livereload/body_processor.rb** ``` if Rails.env.development? module BodyProcessorExtension def process!(env) @content_security_policy_nonce = if ActionDispatch::Request.new(env).respond_to?(:content_security_policy_nonce) ActionDispatch::Request.new(env).content_security_policy_nonce end super end def template template_path = Rails.root.join('lib', 'ext', 'rack_livereload', 'skel', 'livereload.html.erb') ERB.new(::File.read(template_path)) end end Rack::LiveReload::BodyProcessor.prepend(BodyProcessorExtension) end ``` **lib/ext/rack_livereload/skel/livereload.html.erb** ``` <% if with_swf? %> <script type="text/javascript" nonce="<%= @content_security_policy_nonce %>"> WEB_SOCKET_SWF_LOCATION = "/__rack/WebSocketMain.swf"; <% if force_swf? %> WEB_SOCKET_FORCE_FLASH = true; <% end %> </script> <script type="text/javascript" src="<%= app_root %>/__rack/swfobject.js"></script> <script type="text/javascript" src="<%= app_root %>/__rack/web_socket.js"></script> <% end %> <script type="text/javascript" nonce="<%= @content_security_policy_nonce %>"> RACK_LIVERELOAD_PORT = <%= @options[:live_reload_port] %>; </script> <script type="text/javascript" src="<%= livereload_source %>"></script> ``` This requires you to apply the following settings to the application: ``` Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) } Rails.application.config.content_security_policy_nonce_directives = %w(script-src) Dir.glob(Rails.root.join('lib/ext/**/*.rb')).each do |filename| require filename end ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
meganemura/add-homepage-url
nathanhoel/master
refactor
turbolinks_fix
fix-deadlocks-maybe
v0.3.16
v0.3.15
v0.3.14
v0.3.13
v0.3.12
v0.3.11
v0.3.10
v0.3.9
v0.3.8
v0.3.6
v0.3.5
v0.3.4
v0.3.3
v0.3.2
v0.3.1
v0.3.0
v0.2.1
v0.2.0
v0.1.0
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: github-migration/rack-livereload#71
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?