From 1694b02909850c9d8f47fb644e98e1203d9f2898 Mon Sep 17 00:00:00 2001
From: "yuuji.yaginuma" <yuuji.yaginuma@gmail.com>
Date: Tue, 17 Apr 2018 15:00:57 +0900
Subject: Make JS views rendered work with content security policy

As of now,  `HTMLElement.nonce` seems to work only in Chrome.
So, it should not be used now.
https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/nonce#Browser_compatibility

Fixes #32577.
---
 actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionview/app')

diff --git a/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee b/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee
index cf31c796df..019bda635a 100644
--- a/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee
+++ b/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee
@@ -66,7 +66,7 @@ processResponse = (response, type) ->
       try response = JSON.parse(response)
     else if type.match(/\b(?:java|ecma)script\b/)
       script = document.createElement('script')
-      script.nonce = cspNonce()
+      script.setAttribute('nonce', cspNonce())
       script.text = response
       document.head.appendChild(script).parentNode.removeChild(script)
     else if type.match(/\bxml\b/)
-- 
cgit v1.2.3