Add nonce to javascript tags

2016-09-08 02:23:46 +02:00 · 2016-09-08 02:23:46 +02:00 · 6ec0fd4b9f
commit 6ec0fd4b9f
parent 4da1c78bb7
8 changed files with 39 additions and 38 deletions
--- a/app/helpers/analytics_helper.rb
+++ b/app/helpers/analytics_helper.rb
@ -5,7 +5,7 @@
 module AnalyticsHelper
  def include_mixpanel
    include_analytics "mixpanel" do
-      javascript_tag do
+      nonced_javascript_tag do
        <<-JS.html_safe
          (function(d,c){var a,b,g,e;a=d.createElement('script');a.type='text/javascript';a.async=!0;a.src=('https:'===d.location.protocol?'https:':'http:')+'//api.mixpanel.com/site_media/js/api/mixpanel.2.js';b=d.getElementsByTagName('script')[0];b.parentNode.insertBefore(a,b);c._i=[];c.init=function(a,d,f){var b=c;'undefined'!==typeof f?b=c[f]=[]:f='mixpanel';g='disable track track_pageview track_links track_forms register register_once unregister identify name_tag set_config'.split(' ');
          for(e=0;e<g.length;e++)(function(a){b[a]=function(){b.push([a].concat(Array.prototype.slice.call(arguments,0)))}})(g[e]);c._i.push([a,d,f])};window.mixpanel=c})(document,[]);
@ -18,7 +18,7 @@ module AnalyticsHelper
  def include_mixpanel_guid
    return unless current_user
    include_analytics "mixpanel" do
-      javascript_tag do
+      nonced_javascript_tag do
        <<-JS.html_safe
          mixpanel.name_tag("#{current_user.guid}");
        JS
@ -28,12 +28,12 @@ module AnalyticsHelper

  def chartbeat_head_block
    return unless configured?("chartbeat")
-    javascript_tag("var _sf_startpt=(new Date()).getTime()")
+    nonced_javascript_tag("var _sf_startpt=(new Date()).getTime()")
  end

  def include_chartbeat
    include_analytics "chartbeat" do
-      javascript_tag do
+      nonced_javascript_tag do
        <<-JS.html_safe
          var _sf_async_config = { uid: #{AppConfig.privacy.chartbeat_uid}, domain: "#{AppConfig.pod_uri.host}" };
          (function() {
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -53,14 +53,14 @@ module ApplicationHelper
    buf = []
    if AppConfig.privacy.jquery_cdn?
      version = Jquery::Rails::JQUERY_2_VERSION
-      buf << [ javascript_include_tag("//code.jquery.com/jquery-#{version}.min.js") ]
-      buf << [javascript_tag("!window.jQuery && document.write(unescape('#{j javascript_include_tag('jquery2')}'));")]
+      buf << [javascript_include_tag("//code.jquery.com/jquery-#{version}.min.js")]
+      buf << [nonced_javascript_tag("!window.jQuery && document.write(unescape('#{j javascript_include_tag('jquery2')}'));")]
    else
      buf << [javascript_include_tag("jquery2")]
    end
-    buf << [ javascript_include_tag('jquery_ujs') ]
-    buf << [ javascript_tag("jQuery.ajaxSetup({'cache': false});") ]
-    buf << [ javascript_tag("$.fx.off = true;") ] if Rails.env.test?
+    buf << [javascript_include_tag("jquery_ujs")]
+    buf << [nonced_javascript_tag("jQuery.ajaxSetup({'cache': false});")]
+    buf << [nonced_javascript_tag("$.fx.off = true;")] if Rails.env.test?
    buf.join("\n").html_safe
  end
 end
--- a/app/helpers/layout_helper.rb
+++ b/app/helpers/layout_helper.rb
@ -20,7 +20,7 @@ module LayoutHelper
  end

  def load_javascript_locales(section = 'javascripts')
-    content_tag(:script) do
+    nonced_javascript_tag do
      <<-JS.html_safe
        Diaspora.I18n.load(#{get_javascript_strings_for(I18n.locale, section).to_json},
                           "#{I18n.locale}",
@ -51,7 +51,7 @@ module LayoutHelper
  end

  def old_browser_js_support
-    content_tag(:script) do
+    nonced_javascript_tag do
      <<-JS.html_safe
        if(Array.isArray === undefined) {
          Array.isArray = function (arg) {
--- a/app/views/conversations/new.mobile.haml
+++ b/app/views/conversations/new.mobile.haml
@ -2,25 +2,26 @@
 -#   licensed under the Affero General Public License version 3 or later.  See
 -#   the COPYRIGHT file.

-:javascript
-  $(document).ready(function () {
-    var data = $.parseJSON( "#{escape_javascript(@contacts_json)}" ),
-        autocompleteInput = $("#contact-autocomplete");
+%script{nonce: content_security_policy_nonce(:script)}
+  :plain
+    $(document).ready(function () {
+      var data = $.parseJSON( "#{escape_javascript(@contacts_json).html_safe}" ),
+          autocompleteInput = $("#contact-autocomplete");

-    autocompleteInput.autoSuggest(data, {
-      selectedItemProp: "name",
-      searchObjProps: "name",
-      asHtmlID: "contact_ids",
-      retrieveLimit: 10,
-      minChars: 1,
-      keyDelay: 0,
-      startText: '',
-      emptyText: "#{t('no_results')}",
-      preFill: [{name : "#{h params[:name]}",
-                 value : "#{@contact_ids}"}]
-      });
-    autocompleteInput.focus();
-  });
+      autocompleteInput.autoSuggest(data, {
+        selectedItemProp: "name",
+        searchObjProps: "name",
+        asHtmlID: "contact_ids",
+        retrieveLimit: 10,
+        minChars: 1,
+        keyDelay: 0,
+        startText: '',
+        emptyText: "#{t("no_results")}",
+        preFill: [{name : "#{h params[:name]}",
+                   value : "#{@contact_ids}"}]
+        });
+      autocompleteInput.focus();
+    });

 .col-md-6#new_conversation_pane
  .container-fluid.row
--- a/app/views/layouts/application.html.haml
+++ b/app/views/layouts/application.html.haml
@ -41,7 +41,7 @@
    = csrf_meta_tag


-    = include_gon(camel_case:  true)
+    = include_gon(camel_case: true, nonce: content_security_policy_nonce(:script))

  %body{ class:  "page-#{controller_name} action-#{action_name}" }
    = yield :before_content
--- a/app/views/layouts/application.mobile.haml
+++ b/app/views/layouts/application.mobile.haml
@ -52,7 +52,7 @@

    = yield(:head)

-    = include_gon(:camel_case => true)
+    = include_gon(camel_case: true, nonce: content_security_policy_nonce(:script))
  %body
    #app
      = render "layouts/header"
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@ -13,7 +13,7 @@ SecureHeaders::Configuration.default do |config|
    img_src:         %w('self' data: *),
    media_src:       %w(https:),
    script_src:      %w('self' 'unsafe-eval' platform.twitter.com cdn.syndication.twimg.com widgets.flickr.com
-                        embedr.flickr.com platform.instagram.com),
+                        embedr.flickr.com platform.instagram.com 'unsafe-inline'),
    style_src:       %w('self' 'unsafe-inline' platform.twitter.com *.twimg.com)
  }
 end
--- a/spec/helpers/application_helper_spec.rb
+++ b/spec/helpers/application_helper_spec.rb
@ -60,11 +60,11 @@ describe ApplicationHelper, :type => :helper do
      end

      it 'inclues jquery.js from jquery cdn' do
-        expect(jquery_include_tag).to match(/jquery\.com/)
+        expect(helper.jquery_include_tag).to match(/jquery\.com/)
      end

      it 'falls back to asset pipeline on cdn failure' do
-        expect(jquery_include_tag).to match(/document\.write/)
+        expect(helper.jquery_include_tag).to match(/document\.write/)
      end
    end

@ -74,17 +74,17 @@ describe ApplicationHelper, :type => :helper do
      end

      it 'includes jquery.js from asset pipeline' do
-        expect(jquery_include_tag).to match(/jquery2\.js/)
-        expect(jquery_include_tag).not_to match(/jquery\.com/)
+        expect(helper.jquery_include_tag).to match(/jquery2\.js/)
+        expect(helper.jquery_include_tag).not_to match(/jquery\.com/)
      end
    end

    it 'inclues jquery_ujs.js' do
-      expect(jquery_include_tag).to match(/jquery_ujs\.js/)
+      expect(helper.jquery_include_tag).to match(/jquery_ujs\.js/)
    end

    it "disables ajax caching" do
-      expect(jquery_include_tag).to match(/jQuery\.ajaxSetup/)
+      expect(helper.jquery_include_tag).to match(/jQuery\.ajaxSetup/)
    end
  end