diff options
| author | Andrew White <pixeltrix@users.noreply.github.com> | 2018-04-18 18:49:27 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-04-18 18:49:27 +0100 |
| commit | 185fce159721b331cc9a0ae17b662373ee0fc95f (patch) | |
| tree | aa5c6d50a33ad5681e1703fe0cffcf74927f9f12 /actionview/lib | |
| parent | 7bcb04c73decc9fa0448cf75caeee6740942ad29 (diff) | |
| parent | 47013a7126a92e1f2890b68e0fd2e7ba1b77c97c (diff) | |
| download | rails-185fce159721b331cc9a0ae17b662373ee0fc95f.tar.gz rails-185fce159721b331cc9a0ae17b662373ee0fc95f.tar.bz2 rails-185fce159721b331cc9a0ae17b662373ee0fc95f.zip | |
Merge pull request #32607 from yaroslav/feature/nonce-for-javascript_include_tag
Add the `nonce: true` option for `javascript_include_tag` helper.
Diffstat (limited to 'actionview/lib')
| -rw-r--r-- | actionview/lib/action_view/helpers/asset_tag_helper.rb | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/actionview/lib/action_view/helpers/asset_tag_helper.rb b/actionview/lib/action_view/helpers/asset_tag_helper.rb index 06fa1875fc..257080d902 100644 --- a/actionview/lib/action_view/helpers/asset_tag_helper.rb +++ b/actionview/lib/action_view/helpers/asset_tag_helper.rb @@ -55,6 +55,8 @@ module ActionView # that path. # * <tt>:skip_pipeline</tt> - This option is used to bypass the asset pipeline # when it is set to true. + # * <tt>:nonce<tt> - When set to true, adds an automatic nonce value if + # you have Content Security Policy enabled. # # ==== Examples # @@ -79,6 +81,9 @@ module ActionView # # javascript_include_tag "http://www.example.com/xmlhr.js" # # => <script src="http://www.example.com/xmlhr.js"></script> + # + # javascript_include_tag "http://www.example.com/xmlhr.js", nonce: true + # # => <script src="http://www.example.com/xmlhr.js" nonce="..."></script> def javascript_include_tag(*sources) options = sources.extract_options!.stringify_keys path_options = options.extract!("protocol", "extname", "host", "skip_pipeline").symbolize_keys @@ -90,6 +95,9 @@ module ActionView tag_options = { "src" => href }.merge!(options) + if tag_options["nonce"] == true + tag_options["nonce"] = content_security_policy_nonce + end content_tag("script".freeze, "", tag_options) }.join("\n").html_safe |