Add support for automatic nonce generation for Rails UJS

Because the UJS library creates a script tag to process responses it normally requires the script-src attribute of the content security policy to include 'unsafe-inline'. To work around this we generate a per-request nonce value that is embedded in a meta tag in a similar fashion to how CSRF protection embeds its token in a meta tag. The UJS library can then read the nonce value and set it on the dynamically generated script tag to enable it to execute without needing 'unsafe-inline' enabled. Nonce generation isn't 100% safe - if your script tag is including user generated content in someway then it may be possible to exploit an XSS vulnerability which can take advantage of the nonce. It is however an improvement on a blanket permission for inline scripts. It is also possible to use the nonce within your own script tags by using `nonce: true` to set the nonce value on the tag, e.g <%= javascript_tag nonce: true do %> alert('Hello, World!'); <% end %> Fixes #31689.
author: Andrew White <andrew.white@unboxed.co> 2018-02-16 13:21:48 +0000
committer: Andrew White <andrew.white@unboxed.co> 2018-02-19 15:59:34 +0000
commit: 31abee0341cb9d19f0234da7b42dddbabfcd1d4a (patch)
tree: e9c45382ed7528c341d85df52f1b0f381ce0fd47 /actionview/test/ujs
parent: dc6185b462dc423e9e6fa89a64aa54427ff7660d (diff)
download: rails-31abee0341cb9d19f0234da7b42dddbabfcd1d4a.tar.gz
rails-31abee0341cb9d19f0234da7b42dddbabfcd1d4a.tar.bz2
rails-31abee0341cb9d19f0234da7b42dddbabfcd1d4a.zip
3 files changed, 24 insertions, 12 deletions
diff --git a/actionview/test/ujs/public/test/call-ajax.js b/actionview/test/ujs/public/test/call-ajax.js
index 49e64cad5c..4d0bfb0806 100644
--- a/actionview/test/ujs/public/test/call-ajax.js
+++ b/actionview/test/ujs/public/test/call-ajax.js
@@ -8,7 +8,6 @@ module('call-ajax', {
 })
 
 asyncTest('call ajax without "ajax:beforeSend"', 1, function() {
-
   var link = $('#qunit-fixture a')
   link.bindNative('click', function() {
     Rails.ajax({
@@ -21,7 +20,7 @@ asyncTest('call ajax without "ajax:beforeSend"', 1, function() {
   })
 
   link.triggerNative('click')
-  setTimeout(function() { start() }, 13)
+  setTimeout(function() { start() }, 50)
 })
 
 })()
diff --git a/actionview/test/ujs/server.rb b/actionview/test/ujs/server.rb
index 7d1bab4b2a..48e9bcb65f 100644
--- a/actionview/test/ujs/server.rb
+++ b/actionview/test/ujs/server.rb
@@ -23,18 +23,30 @@ module UJS
     config.public_file_server.enabled = true
     config.logger = Logger.new(STDOUT)
     config.log_level = :error
+
+    config.content_security_policy do |policy|
+      policy.default_src :self, :https
+      policy.font_src    :self, :https, :data
+      policy.img_src     :self, :https, :data
+      policy.object_src  :none
+      policy.script_src  :self, :https
+      policy.style_src   :self, :https
+    end
+
+    config.content_security_policy_nonce_generator = ->(req) { SecureRandom.base64(16) }
   end
 end
 
 module TestsHelper
   def test_to(*names)
-    names = ["/vendor/qunit.js", "settings"] + names
-    names.map { |name| script_tag name }.join("\n").html_safe
-  end
+    names = names.map { |name| "/test/#{name}.js" }
+    names = %w[/vendor/qunit.js /test/settings.js] + names
 
-  def script_tag(src)
-    src = "/test/#{src}.js" unless src.index("/")
-    %(<script src="#{src}" type="text/javascript"></script>).html_safe
+    capture do
+      names.each do |name|
+        concat(javascript_include_tag(name))
+      end
+    end
   end
 end
 
@@ -56,7 +68,7 @@ class TestsController < ActionController::Base
     elsif params[:iframe]
       payload = JSON.generate(data).gsub("<", "&lt;").gsub(">", "&gt;")
       html = <<-HTML
-        <script>
+        <script nonce="#{request.content_security_policy_nonce}">
           if (window.top && window.top !== window)
             window.top.jQuery.event.trigger('iframe:loaded', #{payload})
         </script>
diff --git a/actionview/test/ujs/views/layouts/application.html.erb b/actionview/test/ujs/views/layouts/application.html.erb
index c787e77b84..8f6f6fc17f 100644
--- a/actionview/test/ujs/views/layouts/application.html.erb
+++ b/actionview/test/ujs/views/layouts/application.html.erb
@@ -2,9 +2,10 @@
 <html id="html">
   <head>
     <title><%= @title %></title>
+    <%= csp_meta_tag %>
     <link href="/vendor/qunit.css" media="screen" rel="stylesheet" type="text/css" media="screen, projection" />
     <script src="/vendor/jquery-2.2.0.js" type="text/javascript"></script>
-    <script>
+    <%= javascript_tag nonce: true do %>
       // This is for test in override.js.
       // Must go before rails-ujs.
       document.addEventListener('rails:attachBindings', function() {
@@ -15,8 +16,8 @@
           e.preventDefault();
         });
       });
-    </script>
-    <%= script_tag "/rails-ujs.js" %>
+    <% end %>
+    <%= javascript_include_tag "/rails-ujs.js" %>
   </head>
 
   <body id="body">
author	Andrew White <andrew.white@unboxed.co>	2018-02-16 13:21:48 +0000
committer	Andrew White <andrew.white@unboxed.co>	2018-02-19 15:59:34 +0000
commit	31abee0341cb9d19f0234da7b42dddbabfcd1d4a (patch)
tree	e9c45382ed7528c341d85df52f1b0f381ce0fd47 /actionview/test/ujs
parent	dc6185b462dc423e9e6fa89a64aa54427ff7660d (diff)
download	rails-31abee0341cb9d19f0234da7b42dddbabfcd1d4a.tar.gz rails-31abee0341cb9d19f0234da7b42dddbabfcd1d4a.tar.bz2 rails-31abee0341cb9d19f0234da7b42dddbabfcd1d4a.zip