2021-03-20

Turbolinks broken by default with a secure CSP

Good: Rails includes built-in tools to generate a CSP

Great: That CSP encourages disallowing unsafe evaluation of inline JS

Incredible: Rails includes javascript_tag(nonce: true) helper so you can include nonced inline JS

WTF If you use all these tools together with Turbolinks none of the nonces work.

If you want UJS, Turbolinks, and other inline nonced JS to work you need to do the following:

1.Change Nonce generation so that nonces do not change for turbolinks requests (as the DOM is not updated)

# In config/initializers/content_security_policy.rb
Rails.application.config.content_security_policy_nonce_generator = -> (request) do
  # use the same csp nonce for turbolinks requests
  if request.env['HTTP_TURBOLINKS_REFERRER'].present?
    request.env['HTTP_X_TURBOLINKS_NONCE']
  else
    SecureRandom.base64(16)
  end

2.Inject a header into turbolinks requests so the above nonce generation code works

// Somewhere in /app/javascript
document.addEventListener("turbolinks:request-start", function(event) {
  var xhr = event.data.xhr;
  xhr.setRequestHeader("X-Turbolinks-Nonce", $("meta[name='csp-nonce']").prop('content'));
});

3.Because nonces can only be accessed via their IDL attribute after the page loads (for security reasons), they need to be read via JS and added back as normal attributes in the DOM before the page is cached otherwise on cache restoration visits, the nonces won’t be there!

// Somewhere in /app/javascript
document.addEventListener("turbolinks:before-cache", function() {
  $('script[nonce]').each(function(index, element) {
    $(element).attr('nonce', element.nonce)
  })
})

标签：nonce,03,20,turbolinks,request,JS,2021,nonces,Turbolinks
来源： https://blog.csdn.net/qq_43565746/article/details/115035090