René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"`content_security_policy_nonce` calls Rails method so CSP does not contain nonce","articleBody":"### Expected outcome\r\nI am using GoodJob to process jobs on Rails 6. The GoodJob dashboard includes a number of scripts and styles. These all have nonces set using the `content_security_policy_nonce` method.\r\n```\r\n \u003c%= tag.script \"\", src: frontend_static_path(:bootstrap, format: :js, v: GoodJob::VERSION, locale: nil), nonce: content_security_policy_nonce %\u003e\r\n```\r\n\r\n([link to code](https://github.com/bensheldon/good_job/blob/c71c3b338326bc14fb0ec58eaf70f6ee66c20c02/app/views/layouts/good_job/application.html.erb#L14))\r\n\r\nI would expect Secure Headers to set the nonce in the CSP header so that these scripts are permitted.\r\n\r\n### Actual outcome\r\n\r\nNo nonce is set in the CSP header. I think that Rails' own `content_security_policy_nonce` method is being called rather than the Secure Headers method of the same name. This means that the CSP set by Secure Headers doesn't include the nonce, and the scripts and styles are therefore not permitted.\r\n\r\nI know that recommend practice when using Secure Headers is to use the `nonced_javascript_tag` method, but since this is in a gem I can't do that.\r\n\r\nPossible related issues:\r\n- https://github.com/github/secure_headers/issues/392\r\n- https://github.com/github/secure_headers/pull/389\r\n\r\n### Config\r\n\r\n```\r\nSecureHeaders::Configuration.default do |config|\r\n  config.hsts = \"max-age=#{1.year.to_i}; includeSubDomains; preload\"\r\n  config.x_frame_options = 'DENY'\r\n  config.x_content_type_options = 'nosniff'\r\n  config.x_xss_protection = '1; mode=block'\r\n  config.x_download_options = 'noopen'\r\n  config.x_permitted_cross_domain_policies = 'none'\r\n  config.referrer_policy = %w[origin-when-cross-origin\r\n                              strict-origin-when-cross-origin]\r\n  config.csp = {\r\n    default_src: %w['none'],\r\n    script_src: %w['self' http://www.google-analytics.com],\r\n    connect_src: %w['self'],\r\n    frame_ancestors: %w['none'],\r\n    font_src: %w['self' data: https://fonts.gstatic.com],\r\n    img_src: %w['self' data: https://validator.swagger.io],\r\n    style_src: %w['self' https://fonts.googleapis.com],\r\n  }\r\nend\r\n```\r\n\r\n### Generated headers\r\n\r\n```\r\ndefault-src 'none'; connect-src 'self'; font-src 'self' data: fonts.gstatic.com; frame-ancestors 'none'; img-src 'self' data: validator.swagger.io; script-src 'self' www.google-analytics.com; style-src 'self' fonts.googleapis.com\r\n```\r\n","author":{"url":"https://github.com/jdudley1123","@type":"Person","name":"jdudley1123"},"datePublished":"2023-09-20T12:50:27.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":2},"url":"https://github.com/511/secure_headers/issues/511"}