Add optional nonce parameter to HotReload.script()#41
Open
davidpoblador wants to merge 1 commit intoflorimondmanca:masterfrom
Open
Add optional nonce parameter to HotReload.script()#41davidpoblador wants to merge 1 commit intoflorimondmanca:masterfrom
davidpoblador wants to merge 1 commit intoflorimondmanca:masterfrom
Conversation
Applications that enforce Content Security Policy with nonce-based script-src directives need every inline script tag to carry the request nonce. Without this, the hot-reload script gets blocked by CSP or logged in report-only mode. The new optional nonce parameter on script() causes the generated tag to include a nonce attribute when a value is provided. Passing no argument preserves the existing behavior, so this is fully backwards compatible.
Owner
|
@davidpoblador Looking perfect, thanks! Is there any chance you could address the isort check failure? I'm away from a laptop right now. I suppose running 'make format' after a fresh local 'make install' should fix it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Applications using Content Security Policy with nonce-based
script-srcdirectives currently can't use arel without either weakening their CSP or disabling hot-reload entirely. Every inline<script>tag needs to carry the per-request nonce, andHotReload.script()doesn't support that.This adds an optional
nonceparameter:When provided, the generated tag becomes
<script nonce="...">. When omitted, behavior is identical to today — fully backwards compatible, no changes needed for existing users.This feature was suggested by @dlopcol
Test plan
test_script_noncecovering both default (no nonce) and nonce cases