Add nonce to javascript tags
This commit is contained in:
Benjamin Neff
Dennis Schubert
parent
4da1c78bb7
commit
6ec0fd4b9f
8 changed files with 39 additions and 38 deletions
|
|
@ -5,7 +5,7 @@
|
||||||
module AnalyticsHelper
|
module AnalyticsHelper
|
||||||
def include_mixpanel
|
def include_mixpanel
|
||||||
include_analytics "mixpanel" do
|
include_analytics "mixpanel" do
|
||||||
javascript_tag do
|
nonced_javascript_tag do
|
||||||
<<-JS.html_safe
|
<<-JS.html_safe
|
||||||
(function(d,c){var a,b,g,e;a=d.createElement('script');a.type='text/javascript';a.async=!0;a.src=('https:'===d.location.protocol?'https:':'http:')+'//api.mixpanel.com/site_media/js/api/mixpanel.2.js';b=d.getElementsByTagName('script')[0];b.parentNode.insertBefore(a,b);c._i=[];c.init=function(a,d,f){var b=c;'undefined'!==typeof f?b=c[f]=[]:f='mixpanel';g='disable track track_pageview track_links track_forms register register_once unregister identify name_tag set_config'.split(' ');
|
(function(d,c){var a,b,g,e;a=d.createElement('script');a.type='text/javascript';a.async=!0;a.src=('https:'===d.location.protocol?'https:':'http:')+'//api.mixpanel.com/site_media/js/api/mixpanel.2.js';b=d.getElementsByTagName('script')[0];b.parentNode.insertBefore(a,b);c._i=[];c.init=function(a,d,f){var b=c;'undefined'!==typeof f?b=c[f]=[]:f='mixpanel';g='disable track track_pageview track_links track_forms register register_once unregister identify name_tag set_config'.split(' ');
|
||||||
for(e=0;e<g.length;e++)(function(a){b[a]=function(){b.push([a].concat(Array.prototype.slice.call(arguments,0)))}})(g[e]);c._i.push([a,d,f])};window.mixpanel=c})(document,[]);
|
for(e=0;e<g.length;e++)(function(a){b[a]=function(){b.push([a].concat(Array.prototype.slice.call(arguments,0)))}})(g[e]);c._i.push([a,d,f])};window.mixpanel=c})(document,[]);
|
||||||
|
|
@ -18,7 +18,7 @@ module AnalyticsHelper
|
||||||
def include_mixpanel_guid
|
def include_mixpanel_guid
|
||||||
return unless current_user
|
return unless current_user
|
||||||
include_analytics "mixpanel" do
|
include_analytics "mixpanel" do
|
||||||
javascript_tag do
|
nonced_javascript_tag do
|
||||||
<<-JS.html_safe
|
<<-JS.html_safe
|
||||||
mixpanel.name_tag("#{current_user.guid}");
|
mixpanel.name_tag("#{current_user.guid}");
|
||||||
JS
|
JS
|
||||||
|
|
@ -28,12 +28,12 @@ module AnalyticsHelper
|
||||||
|
|
||||||
def chartbeat_head_block
|
def chartbeat_head_block
|
||||||
return unless configured?("chartbeat")
|
return unless configured?("chartbeat")
|
||||||
javascript_tag("var _sf_startpt=(new Date()).getTime()")
|
nonced_javascript_tag("var _sf_startpt=(new Date()).getTime()")
|
||||||
end
|
end
|
||||||
|
|
||||||
def include_chartbeat
|
def include_chartbeat
|
||||||
include_analytics "chartbeat" do
|
include_analytics "chartbeat" do
|
||||||
javascript_tag do
|
nonced_javascript_tag do
|
||||||
<<-JS.html_safe
|
<<-JS.html_safe
|
||||||
var _sf_async_config = { uid: #{AppConfig.privacy.chartbeat_uid}, domain: "#{AppConfig.pod_uri.host}" };
|
var _sf_async_config = { uid: #{AppConfig.privacy.chartbeat_uid}, domain: "#{AppConfig.pod_uri.host}" };
|
||||||
(function() {
|
(function() {
|
||||||
|
|
|
||||||
|
|
@ -54,13 +54,13 @@ module ApplicationHelper
|
||||||
if AppConfig.privacy.jquery_cdn?
|
if AppConfig.privacy.jquery_cdn?
|
||||||
version = Jquery::Rails::JQUERY_2_VERSION
|
version = Jquery::Rails::JQUERY_2_VERSION
|
||||||
buf << [javascript_include_tag("//code.jquery.com/jquery-#{version}.min.js")]
|
buf << [javascript_include_tag("//code.jquery.com/jquery-#{version}.min.js")]
|
||||||
buf << [javascript_tag("!window.jQuery && document.write(unescape('#{j javascript_include_tag('jquery2')}'));")]
|
buf << [nonced_javascript_tag("!window.jQuery && document.write(unescape('#{j javascript_include_tag('jquery2')}'));")]
|
||||||
else
|
else
|
||||||
buf << [javascript_include_tag("jquery2")]
|
buf << [javascript_include_tag("jquery2")]
|
||||||
end
|
end
|
||||||
buf << [ javascript_include_tag('jquery_ujs') ]
|
buf << [javascript_include_tag("jquery_ujs")]
|
||||||
buf << [ javascript_tag("jQuery.ajaxSetup({'cache': false});") ]
|
buf << [nonced_javascript_tag("jQuery.ajaxSetup({'cache': false});")]
|
||||||
buf << [ javascript_tag("$.fx.off = true;") ] if Rails.env.test?
|
buf << [nonced_javascript_tag("$.fx.off = true;")] if Rails.env.test?
|
||||||
buf.join("\n").html_safe
|
buf.join("\n").html_safe
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -20,7 +20,7 @@ module LayoutHelper
|
||||||
end
|
end
|
||||||
|
|
||||||
def load_javascript_locales(section = 'javascripts')
|
def load_javascript_locales(section = 'javascripts')
|
||||||
content_tag(:script) do
|
nonced_javascript_tag do
|
||||||
<<-JS.html_safe
|
<<-JS.html_safe
|
||||||
Diaspora.I18n.load(#{get_javascript_strings_for(I18n.locale, section).to_json},
|
Diaspora.I18n.load(#{get_javascript_strings_for(I18n.locale, section).to_json},
|
||||||
"#{I18n.locale}",
|
"#{I18n.locale}",
|
||||||
|
|
@ -51,7 +51,7 @@ module LayoutHelper
|
||||||
end
|
end
|
||||||
|
|
||||||
def old_browser_js_support
|
def old_browser_js_support
|
||||||
content_tag(:script) do
|
nonced_javascript_tag do
|
||||||
<<-JS.html_safe
|
<<-JS.html_safe
|
||||||
if(Array.isArray === undefined) {
|
if(Array.isArray === undefined) {
|
||||||
Array.isArray = function (arg) {
|
Array.isArray = function (arg) {
|
||||||
|
|
|
||||||
|
|
@ -2,9 +2,10 @@
|
||||||
-# licensed under the Affero General Public License version 3 or later. See
|
-# licensed under the Affero General Public License version 3 or later. See
|
||||||
-# the COPYRIGHT file.
|
-# the COPYRIGHT file.
|
||||||
|
|
||||||
:javascript
|
%script{nonce: content_security_policy_nonce(:script)}
|
||||||
|
:plain
|
||||||
$(document).ready(function () {
|
$(document).ready(function () {
|
||||||
var data = $.parseJSON( "#{escape_javascript(@contacts_json)}" ),
|
var data = $.parseJSON( "#{escape_javascript(@contacts_json).html_safe}" ),
|
||||||
autocompleteInput = $("#contact-autocomplete");
|
autocompleteInput = $("#contact-autocomplete");
|
||||||
|
|
||||||
autocompleteInput.autoSuggest(data, {
|
autocompleteInput.autoSuggest(data, {
|
||||||
|
|
@ -15,7 +16,7 @@
|
||||||
minChars: 1,
|
minChars: 1,
|
||||||
keyDelay: 0,
|
keyDelay: 0,
|
||||||
startText: '',
|
startText: '',
|
||||||
emptyText: "#{t('no_results')}",
|
emptyText: "#{t("no_results")}",
|
||||||
preFill: [{name : "#{h params[:name]}",
|
preFill: [{name : "#{h params[:name]}",
|
||||||
value : "#{@contact_ids}"}]
|
value : "#{@contact_ids}"}]
|
||||||
});
|
});
|
||||||
|
|
|
||||||
|
|
@ -41,7 +41,7 @@
|
||||||
= csrf_meta_tag
|
= csrf_meta_tag
|
||||||
|
|
||||||
|
|
||||||
= include_gon(camel_case: true)
|
= include_gon(camel_case: true, nonce: content_security_policy_nonce(:script))
|
||||||
|
|
||||||
%body{ class: "page-#{controller_name} action-#{action_name}" }
|
%body{ class: "page-#{controller_name} action-#{action_name}" }
|
||||||
= yield :before_content
|
= yield :before_content
|
||||||
|
|
|
||||||
|
|
@ -52,7 +52,7 @@
|
||||||
|
|
||||||
= yield(:head)
|
= yield(:head)
|
||||||
|
|
||||||
= include_gon(:camel_case => true)
|
= include_gon(camel_case: true, nonce: content_security_policy_nonce(:script))
|
||||||
%body
|
%body
|
||||||
#app
|
#app
|
||||||
= render "layouts/header"
|
= render "layouts/header"
|
||||||
|
|
|
||||||
|
|
@ -13,7 +13,7 @@ SecureHeaders::Configuration.default do |config|
|
||||||
img_src: %w('self' data: *),
|
img_src: %w('self' data: *),
|
||||||
media_src: %w(https:),
|
media_src: %w(https:),
|
||||||
script_src: %w('self' 'unsafe-eval' platform.twitter.com cdn.syndication.twimg.com widgets.flickr.com
|
script_src: %w('self' 'unsafe-eval' platform.twitter.com cdn.syndication.twimg.com widgets.flickr.com
|
||||||
embedr.flickr.com platform.instagram.com),
|
embedr.flickr.com platform.instagram.com 'unsafe-inline'),
|
||||||
style_src: %w('self' 'unsafe-inline' platform.twitter.com *.twimg.com)
|
style_src: %w('self' 'unsafe-inline' platform.twitter.com *.twimg.com)
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -60,11 +60,11 @@ describe ApplicationHelper, :type => :helper do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'inclues jquery.js from jquery cdn' do
|
it 'inclues jquery.js from jquery cdn' do
|
||||||
expect(jquery_include_tag).to match(/jquery\.com/)
|
expect(helper.jquery_include_tag).to match(/jquery\.com/)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'falls back to asset pipeline on cdn failure' do
|
it 'falls back to asset pipeline on cdn failure' do
|
||||||
expect(jquery_include_tag).to match(/document\.write/)
|
expect(helper.jquery_include_tag).to match(/document\.write/)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -74,17 +74,17 @@ describe ApplicationHelper, :type => :helper do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'includes jquery.js from asset pipeline' do
|
it 'includes jquery.js from asset pipeline' do
|
||||||
expect(jquery_include_tag).to match(/jquery2\.js/)
|
expect(helper.jquery_include_tag).to match(/jquery2\.js/)
|
||||||
expect(jquery_include_tag).not_to match(/jquery\.com/)
|
expect(helper.jquery_include_tag).not_to match(/jquery\.com/)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'inclues jquery_ujs.js' do
|
it 'inclues jquery_ujs.js' do
|
||||||
expect(jquery_include_tag).to match(/jquery_ujs\.js/)
|
expect(helper.jquery_include_tag).to match(/jquery_ujs\.js/)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "disables ajax caching" do
|
it "disables ajax caching" do
|
||||||
expect(jquery_include_tag).to match(/jQuery\.ajaxSetup/)
|
expect(helper.jquery_include_tag).to match(/jQuery\.ajaxSetup/)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue