Merge pull request #32018 from rails/add-nonce-support-to-csp

Add support for automatic nonce generation for Rails UJS

4 files changed, 45 insertions, 39 deletions

diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb
index a200a1005c..a9dee10981 100644
--- a/railties/lib/rails/application.rb
+++ b/railties/lib/rails/application.rb
@@ -268,7 +268,8 @@ module Rails
           "action_dispatch.cookies_digest" => config.action_dispatch.cookies_digest,
           "action_dispatch.cookies_rotations" => config.action_dispatch.cookies_rotations,
           "action_dispatch.content_security_policy" => config.content_security_policy,
-          "action_dispatch.content_security_policy_report_only" => config.content_security_policy_report_only
+          "action_dispatch.content_security_policy_report_only" => config.content_security_policy_report_only,
+          "action_dispatch.content_security_policy_nonce_generator" => config.content_security_policy_nonce_generator
         )
       end
     end
diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb
index 9fbcea1b81..1bdaf91c46 100644
--- a/railties/lib/rails/application/configuration.rb
+++ b/railties/lib/rails/application/configuration.rb
@@ -17,48 +17,49 @@ module Rails
                     :session_options, :time_zone, :reload_classes_only_on_change,
                     :beginning_of_week, :filter_redirect, :x, :enable_dependency_loading,
                     :read_encrypted_secrets, :log_level, :content_security_policy_report_only,
-                    :require_master_key
+                    :content_security_policy_nonce_generator, :require_master_key
 
       attr_reader :encoding, :api_only, :loaded_config_version
 
       def initialize(*)
         super
-        self.encoding                        = Encoding::UTF_8
-        @allow_concurrency                   = nil
-        @consider_all_requests_local         = false
-        @filter_parameters                   = []
-        @filter_redirect                     = []
-        @helpers_paths                       = []
-        @public_file_server                  = ActiveSupport::OrderedOptions.new
-        @public_file_server.enabled          = true
-        @public_file_server.index_name       = "index"
-        @force_ssl                           = false
-        @ssl_options                         = {}
-        @session_store                       = nil
-        @time_zone                           = "UTC"
-        @beginning_of_week                   = :monday
-        @log_level                           = :debug
-        @generators                          = app_generators
-        @cache_store                         = [ :file_store, "#{root}/tmp/cache/" ]
-        @railties_order                      = [:all]
-        @relative_url_root                   = ENV["RAILS_RELATIVE_URL_ROOT"]
-        @reload_classes_only_on_change       = true
-        @file_watcher                        = ActiveSupport::FileUpdateChecker
-        @exceptions_app                      = nil
-        @autoflush_log                       = true
-        @log_formatter                       = ActiveSupport::Logger::SimpleFormatter.new
-        @eager_load                          = nil
-        @secret_token                        = nil
-        @secret_key_base                     = nil
-        @api_only                            = false
-        @debug_exception_response_format     = nil
-        @x                                   = Custom.new
-        @enable_dependency_loading           = false
-        @read_encrypted_secrets              = false
-        @content_security_policy             = nil
-        @content_security_policy_report_only = false
-        @require_master_key                  = false
-        @loaded_config_version               = nil
+        self.encoding                            = Encoding::UTF_8
+        @allow_concurrency                       = nil
+        @consider_all_requests_local             = false
+        @filter_parameters                       = []
+        @filter_redirect                         = []
+        @helpers_paths                           = []
+        @public_file_server                      = ActiveSupport::OrderedOptions.new
+        @public_file_server.enabled              = true
+        @public_file_server.index_name           = "index"
+        @force_ssl                               = false
+        @ssl_options                             = {}
+        @session_store                           = nil
+        @time_zone                               = "UTC"
+        @beginning_of_week                       = :monday
+        @log_level                               = :debug
+        @generators                              = app_generators
+        @cache_store                             = [ :file_store, "#{root}/tmp/cache/" ]
+        @railties_order                          = [:all]
+        @relative_url_root                       = ENV["RAILS_RELATIVE_URL_ROOT"]
+        @reload_classes_only_on_change           = true
+        @file_watcher                            = ActiveSupport::FileUpdateChecker
+        @exceptions_app                          = nil
+        @autoflush_log                           = true
+        @log_formatter                           = ActiveSupport::Logger::SimpleFormatter.new
+        @eager_load                              = nil
+        @secret_token                            = nil
+        @secret_key_base                         = nil
+        @api_only                                = false
+        @debug_exception_response_format         = nil
+        @x                                       = Custom.new
+        @enable_dependency_loading               = false
+        @read_encrypted_secrets                  = false
+        @content_security_policy                 = nil
+        @content_security_policy_report_only     = false
+        @content_security_policy_nonce_generator = nil
+        @require_master_key                      = false
+        @loaded_config_version                   = nil
       end
 
       def load_defaults(target_version)
diff --git a/railties/lib/rails/generators/rails/app/templates/app/views/layouts/application.html.erb.tt b/railties/lib/rails/generators/rails/app/templates/app/views/layouts/application.html.erb.tt
index 5460155b3e..ef715f1368 100644
--- a/railties/lib/rails/generators/rails/app/templates/app/views/layouts/application.html.erb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/app/views/layouts/application.html.erb.tt
@@ -3,6 +3,7 @@
   <head>
     <title><%= camelized %></title>
     <%%= csrf_meta_tags %>
+    <%%= csp_meta_tag %>
 
     <%- if options[:skip_javascript] -%>
     <%%= stylesheet_link_tag    'application', media: 'all' %>
diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
index edde7f42b8..38c658548d 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
@@ -10,12 +10,15 @@
 #   policy.img_src     :self, :https, :data
 #   policy.object_src  :none
 #   policy.script_src  :self, :https
-#   policy.style_src   :self, :https, :unsafe_inline
+#   policy.style_src   :self, :https
 
 #   # Specify URI for violation reports
 #   # policy.report_uri "/csp-violation-report-endpoint"
 # end
 
+# If you are using UJS then enable automatic nonce generation
+# Rails.application.config.content_security_policy_nonce_generator = -> { SecureRandom.base64(16) }
+
 # Report CSP violations to a specified URI
 # For further information see the following documentation:
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only