From c113bdc9d0c2cffd535ca97aff85c4bdc46b11f6 Mon Sep 17 00:00:00 2001 From: Guillermo Iguaran <guilleiguaran@gmail.com> Date: Sat, 24 Feb 2018 18:08:38 -0500 Subject: Support for automatic nonce generation was backported to 5.2 --- actionpack/CHANGELOG.md | 28 ---------------------------- 1 file changed, 28 deletions(-) (limited to 'actionpack') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 98bf9c944b..cd419b68f7 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,33 +1,5 @@ ## Rails 6.0.0.alpha (Unreleased) ## -* Add support for automatic nonce generation for Rails UJS - - Because the UJS library creates a script tag to process responses it - normally requires the script-src attribute of the content security - policy to include 'unsafe-inline'. - - To work around this we generate a per-request nonce value that is - embedded in a meta tag in a similar fashion to how CSRF protection - embeds its token in a meta tag. The UJS library can then read the - nonce value and set it on the dynamically generated script tag to - enable it to execute without needing 'unsafe-inline' enabled. - - Nonce generation isn't 100% safe - if your script tag is including - user generated content in someway then it may be possible to exploit - an XSS vulnerability which can take advantage of the nonce. It is - however an improvement on a blanket permission for inline scripts. - - It is also possible to use the nonce within your own script tags by - using `nonce: true` to set the nonce value on the tag, e.g - - <%= javascript_tag nonce: true do %> - alert('Hello, World!'); - <% end %> - - Fixes #31689. - - *Andrew White* - * Rails 6 requires Ruby 2.4.1 or newer. *Jeremy Daer* -- cgit v1.2.3