Skip to content

Test CSP with v16 client-side scripts #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Judahmeek wants to merge 1 commit into from
Closed

Test CSP with v16 client-side scripts #27

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .nvmrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
22.12.0
1 change: 1 addition & 0 deletions .ruby-gemset
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
v16
1 change: 1 addition & 0 deletions .ruby-version
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
ruby-3.2.2
2 changes: 1 addition & 1 deletion app/views/heavy_markdown_editor/index.html.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
<%= react_component("HeavyMarkdownEditor", props: @heavy_markdown_editor_props, prerender: true) %>
<%= react_component("HeavyMarkdownEditor", props: @heavy_markdown_editor_props, prerender: false) %>
2 changes: 1 addition & 1 deletion app/views/hello_world/index.html.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
<%= react_component("HelloWorld", props: @hello_world_props, prerender: true) %>
<%= react_component("HelloWorld", props: @hello_world_props, prerender: false) %>
47 changes: 25 additions & 22 deletions config/initializers/content_security_policy.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,25 +1,28 @@
# Be sure to restart your server when you modify this file.

# Define an application-wide content security policy.
# See the Securing Rails Applications Guide for more information:
# https://guides.rubyonrails.org/security.html#content-security-policy-header
# Define an application-wide content security policy
# For further information see the following documentation
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

# Rails.application.configure do
# config.content_security_policy do |policy|
# policy.default_src :self, :https
# policy.font_src :self, :https, :data
# policy.img_src :self, :https, :data
# policy.object_src :none
# policy.script_src :self, :https
# policy.style_src :self, :https
# # Specify URI for violation reports
# # policy.report_uri "/csp-violation-report-endpoint"
# end
#
# # Generate session nonces for permitted importmap, inline scripts, and inline styles.
# config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
# config.content_security_policy_nonce_directives = %w(script-src style-src)
#
# # Report violations without enforcing the policy.
# # config.content_security_policy_report_only = true
# end
Rails.application.config.content_security_policy do |policy|
policy.default_src :self, :https
policy.font_src :self, :https, :data
policy.img_src :self, :https, :data
policy.object_src :none
policy.script_src :self, :https
policy.style_src :self, :https
Comment on lines +12 to +13
Copy link

@coderabbitai coderabbitai bot Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Overly permissive CSP directives allow any HTTPS resource.

The :https source in script_src and style_src allows loading scripts and styles from any HTTPS origin, which significantly weakens CSP protection. An attacker who can inject a reference to a malicious HTTPS resource could bypass the policy.

Consider restricting to specific trusted domains or using 'strict-dynamic' with nonces for a more secure approach.

Example of a more restrictive policy:

policy.script_src  :self
policy.style_src   :self

Or if you need to allow specific CDNs:

policy.script_src  :self, 'https://cdn.example.com'
policy.style_src   :self, 'https://cdn.example.com'
🤖 Prompt for AI Agents 
In config/initializers/content_security_policy.rb around lines 12-13, the use of
the generic :https source in policy.script_src and policy.style_src is overly
permissive; replace :https with either only :self or an explicit allowlist of
trusted HTTPS origins (e.g. 'https://cdn.example.com'), or implement
nonce-based/script-hash or 'strict-dynamic' approaches if dynamic third-party
scripts are required; update these two directives to remove the wildcard :https
and include only the minimal trusted sources or nonces as appropriate.


# Specify URI for violation reports
# policy.report_uri "/csp-violation-report-endpoint"
end

# If you are using UJS then enable automatic nonce generation
Rails.application.config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
Copy link

@coderabbitai coderabbitai bot Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: Insecure nonce generation using session ID.

Using request.session.id.to_s as a nonce generator is insecure. Nonces must be cryptographically random and unique per request to prevent CSP bypass attacks. Session IDs are stable within a session and predictable, defeating the purpose of nonces.

Apply this diff to use Rails' built-in secure nonce generator:

-Rails.application.config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
+Rails.application.config.content_security_policy_nonce_generator = ->(request) { SecureRandom.base64(16) }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Rails.application.config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
Rails.application.config.content_security_policy_nonce_generator = ->(request) { SecureRandom.base64(16) }
🤖 Prompt for AI Agents 
In config/initializers/content_security_policy.rb around line 20, the nonce
generator currently uses request.session.id which is insecure; replace it with a
cryptographically secure per-request nonce (e.g., use SecureRandom to generate a
random base64 token or Rails' built-in secure nonce generator) so that nonces
are unique and unpredictable for each request and not derived from the session
ID.


# Set the nonce only to specific directives
Rails.application.config.content_security_policy_nonce_directives = %w(script-src style-src)

Check failure on line 23 in config/initializers/content_security_policy.rb

View workflow job for this annotation

GitHub Actions / lint 

Style/PercentLiteralDelimiters: `%w`-literals should be delimited by `[` and `]`.
Copy link

@coderabbitai coderabbitai bot Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix style: Use square brackets for %w literal.

The linter suggests using %w[] instead of %w() for consistency with Ruby style guidelines.

As per coding guidelines.

Apply this diff:

-Rails.application.config.content_security_policy_nonce_directives = %w(script-src style-src)
+Rails.application.config.content_security_policy_nonce_directives = %w[script-src style-src]
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Rails.application.config.content_security_policy_nonce_directives = %w(script-src style-src)
Rails.application.config.content_security_policy_nonce_directives = %w[script-src style-src]
🧰 Tools
🪛 GitHub Check: lint

[failure] 23-23:
Style/PercentLiteralDelimiters: %w-literals should be delimited by [ and ].

🤖 Prompt for AI Agents 
In config/initializers/content_security_policy.rb around line 23, the %w() array
literal uses parentheses; replace the parentheses with square brackets to follow
Ruby style guidelines so the line becomes %w[script-src style-src] (keep the
same elements and spacing).


# Report CSP violations to a specified URI
# For further information see the following documentation:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
Rails.application.config.content_security_policy_report_only = true
Loading