• Stan Hu's avatar
    Add support for Content-Security-Policy · 5fbbd3dd
    Stan Hu authored
    A nonce-based Content-Security-Policy thwarts XSS attacks by allowing
    inline JavaScript to execute if the script nonce matches the header
    value. Rails 5.2 supports nonce-based Content-Security-Policy headers,
    so provide configuration to enable this and make it work.
    
    To support this, we need to change all `:javascript` HAML filters to the
    following form:
    
    ```
    = javascript_tag nonce: true do
      :plain
        ...
    ```
    
    We use `%script` throughout our HAML to store JSON and other text, but
    since this doesn't execute, browsers don't appear to block this content
    from being used and require the nonce value to be present.
    5fbbd3dd
show.html.haml 5.13 KB