From 319248c04916f3d89bcc77ffa84cf79b5fd2fee9 Mon Sep 17 00:00:00 2001 From: Paul <22789+thoughtless@users.noreply.github.com> Date: Tue, 17 Apr 2018 12:29:24 -0700 Subject: Correct docs on naming of sprockets manifest file Calling this an MD5 implies that it is generated consistently based on some input. However, this value is [completely random](https://github.com/rails/sprockets/blob/fbe6e450b6f25cf3ea494fcab0e34001d0b5a0b9/lib/sprockets/manifest_utils.rb#L11-L24). --- guides/source/asset_pipeline.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'guides') diff --git a/guides/source/asset_pipeline.md b/guides/source/asset_pipeline.md index 2f5854fed0..88b87b78d2 100644 --- a/guides/source/asset_pipeline.md +++ b/guides/source/asset_pipeline.md @@ -728,8 +728,8 @@ Rails.application.config.assets.precompile += %w( admin.js admin.css ) NOTE. Always specify an expected compiled filename that ends with `.js` or `.css`, even if you want to add Sass or CoffeeScript files to the precompile array. -The task also generates a `.sprockets-manifest-md5hash.json` (where `md5hash` is -an MD5 hash) that contains a list with all your assets and their respective +The task also generates a `.sprockets-manifest-randomhex.json` (where `randomhex` is +a 16-byte random hex string) that contains a list with all your assets and their respective fingerprints. This is used by the Rails helper methods to avoid handing the mapping requests back to Sprockets. A typical manifest file looks like: -- cgit v1.2.3 From 47013a7126a92e1f2890b68e0fd2e7ba1b77c97c Mon Sep 17 00:00:00 2001 From: Yaroslav Markin Date: Tue, 17 Apr 2018 18:05:12 +0300 Subject: Add the `nonce: true` option for `javascript_include_tag` helper. --- guides/source/security.md | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'guides') diff --git a/guides/source/security.md b/guides/source/security.md index a21526d895..3ac50fb147 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -1182,6 +1182,12 @@ as part of `html_options`. Example: <% end -%> ``` +The same works with `javascript_include_tag`: + +```html+erb +<%= javascript_include_tag "script", nonce: true %> +``` + Use [`csp_meta_tag`](http://api.rubyonrails.org/classes/ActionView/Helpers/CspHelper.html#method-i-csp_meta_tag) helper to create a meta tag "csp-nonce" with the per-session nonce value for allowing inline `