From 6ec0fd4b9fa6ca407529af2584d06100c983c76e Mon Sep 17 00:00:00 2001
From: Benjamin Neff <benjamin@coding4coffee.ch>
Date: Thu, 8 Sep 2016 02:23:46 +0200
Subject: [PATCH] Add nonce to javascript tags

---
 app/helpers/analytics_helper.rb           |  8 ++---
 app/helpers/application_helper.rb         | 10 +++---
 app/helpers/layout_helper.rb              |  4 +--
 app/views/conversations/new.mobile.haml   | 37 ++++++++++++-----------
 app/views/layouts/application.html.haml   |  2 +-
 app/views/layouts/application.mobile.haml |  2 +-
 config/initializers/secure_headers.rb     |  2 +-
 spec/helpers/application_helper_spec.rb   | 12 ++++----
 8 files changed, 39 insertions(+), 38 deletions(-)

diff --git a/app/helpers/analytics_helper.rb b/app/helpers/analytics_helper.rb
index 1a17d3c9c..df7f69c6e 100644
--- a/app/helpers/analytics_helper.rb
+++ b/app/helpers/analytics_helper.rb
@@ -5,7 +5,7 @@
 module AnalyticsHelper
   def include_mixpanel
     include_analytics "mixpanel" do
-      javascript_tag do
+      nonced_javascript_tag do
         <<-JS.html_safe
           (function(d,c){var a,b,g,e;a=d.createElement('script');a.type='text/javascript';a.async=!0;a.src=('https:'===d.location.protocol?'https:':'http:')+'//api.mixpanel.com/site_media/js/api/mixpanel.2.js';b=d.getElementsByTagName('script')[0];b.parentNode.insertBefore(a,b);c._i=[];c.init=function(a,d,f){var b=c;'undefined'!==typeof f?b=c[f]=[]:f='mixpanel';g='disable track track_pageview track_links track_forms register register_once unregister identify name_tag set_config'.split(' ');
           for(e=0;e<g.length;e++)(function(a){b[a]=function(){b.push([a].concat(Array.prototype.slice.call(arguments,0)))}})(g[e]);c._i.push([a,d,f])};window.mixpanel=c})(document,[]);
@@ -18,7 +18,7 @@ module AnalyticsHelper
   def include_mixpanel_guid
     return unless current_user
     include_analytics "mixpanel" do
-      javascript_tag do
+      nonced_javascript_tag do
         <<-JS.html_safe
           mixpanel.name_tag("#{current_user.guid}");
         JS
@@ -28,12 +28,12 @@ module AnalyticsHelper
 
   def chartbeat_head_block
     return unless configured?("chartbeat")
-    javascript_tag("var _sf_startpt=(new Date()).getTime()")
+    nonced_javascript_tag("var _sf_startpt=(new Date()).getTime()")
   end
 
   def include_chartbeat
     include_analytics "chartbeat" do
-      javascript_tag do
+      nonced_javascript_tag do
         <<-JS.html_safe
           var _sf_async_config = { uid: #{AppConfig.privacy.chartbeat_uid}, domain: "#{AppConfig.pod_uri.host}" };
           (function() {
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index b488aa4c6..85e0567fd 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -53,14 +53,14 @@ module ApplicationHelper
     buf = []
     if AppConfig.privacy.jquery_cdn?
       version = Jquery::Rails::JQUERY_2_VERSION
-      buf << [ javascript_include_tag("//code.jquery.com/jquery-#{version}.min.js") ]
-      buf << [javascript_tag("!window.jQuery && document.write(unescape('#{j javascript_include_tag('jquery2')}'));")]
+      buf << [javascript_include_tag("//code.jquery.com/jquery-#{version}.min.js")]
+      buf << [nonced_javascript_tag("!window.jQuery && document.write(unescape('#{j javascript_include_tag('jquery2')}'));")]
     else
       buf << [javascript_include_tag("jquery2")]
     end
-    buf << [ javascript_include_tag('jquery_ujs') ]
-    buf << [ javascript_tag("jQuery.ajaxSetup({'cache': false});") ]
-    buf << [ javascript_tag("$.fx.off = true;") ] if Rails.env.test?
+    buf << [javascript_include_tag("jquery_ujs")]
+    buf << [nonced_javascript_tag("jQuery.ajaxSetup({'cache': false});")]
+    buf << [nonced_javascript_tag("$.fx.off = true;")] if Rails.env.test?
     buf.join("\n").html_safe
   end
 end
diff --git a/app/helpers/layout_helper.rb b/app/helpers/layout_helper.rb
index 548ef2082..7de3ad913 100644
--- a/app/helpers/layout_helper.rb
+++ b/app/helpers/layout_helper.rb
@@ -20,7 +20,7 @@ module LayoutHelper
   end
 
   def load_javascript_locales(section = 'javascripts')
-    content_tag(:script) do
+    nonced_javascript_tag do
       <<-JS.html_safe
         Diaspora.I18n.load(#{get_javascript_strings_for(I18n.locale, section).to_json},
                            "#{I18n.locale}",
@@ -51,7 +51,7 @@ module LayoutHelper
   end
 
   def old_browser_js_support
-    content_tag(:script) do
+    nonced_javascript_tag do
       <<-JS.html_safe
         if(Array.isArray === undefined) {
           Array.isArray = function (arg) {
diff --git a/app/views/conversations/new.mobile.haml b/app/views/conversations/new.mobile.haml
index 32d328b0f..6a7a1c0da 100644
--- a/app/views/conversations/new.mobile.haml
+++ b/app/views/conversations/new.mobile.haml
@@ -2,25 +2,26 @@
 -#   licensed under the Affero General Public License version 3 or later.  See
 -#   the COPYRIGHT file.
 
-:javascript
-  $(document).ready(function () {
-    var data = $.parseJSON( "#{escape_javascript(@contacts_json)}" ),
-        autocompleteInput = $("#contact-autocomplete");
+%script{nonce: content_security_policy_nonce(:script)}
+  :plain
+    $(document).ready(function () {
+      var data = $.parseJSON( "#{escape_javascript(@contacts_json).html_safe}" ),
+          autocompleteInput = $("#contact-autocomplete");
 
-    autocompleteInput.autoSuggest(data, {
-      selectedItemProp: "name",
-      searchObjProps: "name",
-      asHtmlID: "contact_ids",
-      retrieveLimit: 10,
-      minChars: 1,
-      keyDelay: 0,
-      startText: '',
-      emptyText: "#{t('no_results')}",
-      preFill: [{name : "#{h params[:name]}",
-                 value : "#{@contact_ids}"}]
-      });
-    autocompleteInput.focus();
-  });
+      autocompleteInput.autoSuggest(data, {
+        selectedItemProp: "name",
+        searchObjProps: "name",
+        asHtmlID: "contact_ids",
+        retrieveLimit: 10,
+        minChars: 1,
+        keyDelay: 0,
+        startText: '',
+        emptyText: "#{t("no_results")}",
+        preFill: [{name : "#{h params[:name]}",
+                   value : "#{@contact_ids}"}]
+        });
+      autocompleteInput.focus();
+    });
 
 .col-md-6#new_conversation_pane
   .container-fluid.row
diff --git a/app/views/layouts/application.html.haml b/app/views/layouts/application.html.haml
index 0b5b44be1..7903dd88b 100644
--- a/app/views/layouts/application.html.haml
+++ b/app/views/layouts/application.html.haml
@@ -41,7 +41,7 @@
     = csrf_meta_tag
 
 
-    = include_gon(camel_case:  true)
+    = include_gon(camel_case: true, nonce: content_security_policy_nonce(:script))
 
   %body{ class:  "page-#{controller_name} action-#{action_name}" }
     = yield :before_content
diff --git a/app/views/layouts/application.mobile.haml b/app/views/layouts/application.mobile.haml
index 3a26380f8..819a215b2 100644
--- a/app/views/layouts/application.mobile.haml
+++ b/app/views/layouts/application.mobile.haml
@@ -52,7 +52,7 @@
 
     = yield(:head)
 
-    = include_gon(:camel_case => true)
+    = include_gon(camel_case: true, nonce: content_security_policy_nonce(:script))
   %body
     #app
       = render "layouts/header"
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
index bdf5cd571..eabf497df 100644
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -13,7 +13,7 @@ SecureHeaders::Configuration.default do |config|
     img_src:         %w('self' data: *),
     media_src:       %w(https:),
     script_src:      %w('self' 'unsafe-eval' platform.twitter.com cdn.syndication.twimg.com widgets.flickr.com
-                        embedr.flickr.com platform.instagram.com),
+                        embedr.flickr.com platform.instagram.com 'unsafe-inline'),
     style_src:       %w('self' 'unsafe-inline' platform.twitter.com *.twimg.com)
   }
 end
diff --git a/spec/helpers/application_helper_spec.rb b/spec/helpers/application_helper_spec.rb
index 092b8f6a1..4c3ec1023 100644
--- a/spec/helpers/application_helper_spec.rb
+++ b/spec/helpers/application_helper_spec.rb
@@ -60,11 +60,11 @@ describe ApplicationHelper, :type => :helper do
       end
 
       it 'inclues jquery.js from jquery cdn' do
-        expect(jquery_include_tag).to match(/jquery\.com/)
+        expect(helper.jquery_include_tag).to match(/jquery\.com/)
       end
 
       it 'falls back to asset pipeline on cdn failure' do
-        expect(jquery_include_tag).to match(/document\.write/)
+        expect(helper.jquery_include_tag).to match(/document\.write/)
       end
     end
 
@@ -74,17 +74,17 @@ describe ApplicationHelper, :type => :helper do
       end
 
       it 'includes jquery.js from asset pipeline' do
-        expect(jquery_include_tag).to match(/jquery2\.js/)
-        expect(jquery_include_tag).not_to match(/jquery\.com/)
+        expect(helper.jquery_include_tag).to match(/jquery2\.js/)
+        expect(helper.jquery_include_tag).not_to match(/jquery\.com/)
       end
     end
 
     it 'inclues jquery_ujs.js' do
-      expect(jquery_include_tag).to match(/jquery_ujs\.js/)
+      expect(helper.jquery_include_tag).to match(/jquery_ujs\.js/)
     end
 
     it "disables ajax caching" do
-      expect(jquery_include_tag).to match(/jQuery\.ajaxSetup/)
+      expect(helper.jquery_include_tag).to match(/jQuery\.ajaxSetup/)
     end
   end