diff options
| author | yuuji.yaginuma <yuuji.yaginuma@gmail.com> | 2018-04-17 15:00:57 +0900 |
|---|---|---|
| committer | Yuji Yaginuma <yuuji.yaginuma@gmail.com> | 2018-04-20 15:41:56 +0900 |
| commit | 1694b02909850c9d8f47fb644e98e1203d9f2898 (patch) | |
| tree | 74a5e12f45d62f50dedab2e7e91a553da6802515 /actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee | |
| parent | b8cd9302fe01dcaf4d36cc28cdfb7b9d7db832d8 (diff) | |
| download | rails-1694b02909850c9d8f47fb644e98e1203d9f2898.tar.gz rails-1694b02909850c9d8f47fb644e98e1203d9f2898.tar.bz2 rails-1694b02909850c9d8f47fb644e98e1203d9f2898.zip | |
Make JS views rendered work with content security policy
As of now, `HTMLElement.nonce` seems to work only in Chrome.
So, it should not be used now.
https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/nonce#Browser_compatibility
Fixes #32577.
Diffstat (limited to 'actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee')
| -rw-r--r-- | actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee b/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee index cf31c796df..019bda635a 100644 --- a/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee +++ b/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee @@ -66,7 +66,7 @@ processResponse = (response, type) -> try response = JSON.parse(response) else if type.match(/\b(?:java|ecma)script\b/) script = document.createElement('script') - script.nonce = cspNonce() + script.setAttribute('nonce', cspNonce()) script.text = response document.head.appendChild(script).parentNode.removeChild(script) else if type.match(/\bxml\b/) |