mirrors
/
rails
mirror of https://github.com/rails/rails
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #44830 from SkipKayhil/docs-nonce-generator 

Document ETag compatible CSP nonce generator [ci skip]
This commit is contained in:
Petrik de Heus 2022-04-05 21:34:40 +02:00 committed by GitHub
parent 5c24a737ff f5cf908122
commit b5d3301823
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
guides/source/security.md
View File

@ -1173,8 +1173,23 @@ end
Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
```
Then you can add an automatic nonce value by passing `nonce: true`
as part of `html_options`. Example:
There are a few tradeoffs to consider when configuring the nonce generator.
Using `SecureRandom.base64(16)` is a good default value, because it will
generate a new random nonce for each request. However, this method is
incompatible with [Conditional GET caching](caching_with_rails.html#conditional-get-caching)
because new nonces will result in new ETag values for every request. An
alternative to per-request random nonces would be to use the session id:
```ruby
Rails.application.config.content_security_policy_nonce_generator = -> request { request.session.id.to_s }
```
This generation method is compatible with ETags, however its security depends on
the session id being sufficiently random and not being exposed in insecure
cookies.
Once nonce generation is configured in an initializer, automatic nonce values
can be added to script tags by passing `nonce: true` as part of `html_options`:
```html+erb
<%= javascript_tag nonce: true do -%>