Automatically add a nonce to script tag (#100)

... if a csp-nonce meta tag is available to get it from.

- Added test that confirms that nonce is added
- Added an end-to-end test that uses a strict CSP. Confirmed that this fails without the nonce added
  to javascript_include_tag calls.
- With Sprockets 4, it doesn't add a separate script tag for jquery, so add an explicit
  javascript_include_tag "jquery" for that case

Co-authored-by: Matt Brictson <[email protected]>

Author: TylerRick

lib/xray/middleware.rb

@@ -111,10 +111,15 @@ def script_matcher(script_name)
       /x
     end
 
+    def nonce_from_meta_tag(html)
+      html[/<meta name="csp-nonce" content="([^"]*)"/, 1].presence
+    end
+
     # Appends the given `script_name` after the `after_script_name`.
     def append_js!(html, after_script_name, script_name)
       html.sub!(script_matcher(after_script_name)) do
-        "#{$~}\n" + helper.javascript_include_tag(script_name)
+        nonce = nonce_from_meta_tag(html)
+        "#{$~}\n" + helper.javascript_include_tag(script_name, nonce: nonce)
       end
     end
 

spec/dummy/app/assets/config/manifest.js

@@ -1,2 +1,3 @@
-//= link_directory ../javascripts .js
 //= link_directory ../stylesheets .css
+//= link_directory ../javascripts .js
+//= link jquery.js

spec/dummy/app/controllers/application_controller.rb

@@ -1,9 +1,19 @@
 class ApplicationController < ActionController::Base
   protect_from_forgery
 
+  if respond_to?(:content_security_policy) # Rails >= 5.2
+    content_security_policy only: :strict_csp do |policy|
+      policy.script_src :self, :strict_dynamic
+    end
+  end
+
   def root
   end
 
+  def strict_csp
+    render :root
+  end
+
   # For the tests
   def non_html
     render json: {foo: 'bar'}

spec/dummy/app/views/layouts/application.html.erb

@@ -2,9 +2,12 @@
 <html>
 <head>
   <title>Xray</title>
-  <%= stylesheet_link_tag    "application", :media => "all" %>
-  <%= javascript_include_tag "application" %>
+  <%= stylesheet_link_tag    "application", media: "all" %>
+  <%= javascript_include_tag "application", nonce: true %>
+  <%# With Sprockets 4, it doesn't add a separate script tag for jquery, but one is needed for xray %>
+  <%= javascript_include_tag "jquery", nonce: true  if Gem.loaded_specs['sprockets'].version >= Gem::Version.new('4.0.0') %>
   <%= csrf_meta_tags %>
+  <%= csp_meta_tag  if Gem.loaded_specs['rails'].version >= Gem::Version.new('5.2.0') %>
 </head>
 <body>
 

spec/dummy/config/initializers/content_security_policy.rb

@@ -0,0 +1,7 @@
+if Gem.loaded_specs['rails'].version >= Gem::Version.new('5.2.0')
+  Rails.application.config.content_security_policy do |policy|
+    # Empty. Only need one endpoint (/strict_csp) to use a strict CSP in our tests.
+  end
+
+  Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
+end

spec/xray/e2e_spec.rb

@@ -6,7 +6,18 @@
     expect_to_work
   end
 
+  if Gem.loaded_specs['rails'].version >= Gem::Version.new('5.2.0')
+    it "works when using a strict CSP" do
+      visit '/strict_csp'
+      expect_to_work
+    end
+  end
+
   def expect_to_work
+    if Gem.loaded_specs['rails'].version >= Gem::Version.new('5.2.0')
+      expect(page).to have_selector('script[src^="/assets/xray"][nonce]')
+      expect(page.find('script[src^="/assets/xray"]')[:nonce]).to eq page.find('meta[name="csp-nonce"]')[:content]
+    end
     expect(page).to have_selector('#xray-bar')
 
     expect(page).to have_no_selector('.xray-specimen-handle.TemplateSpecimen', text: 'root.html.erb')

spec/xray/middleware_spec.rb

@@ -95,6 +95,14 @@ def mock_response(status, content_type, body)
     expect(page).to have_selector('script[src^="/assets/xray"]')
   end
 
+  if Gem.loaded_specs['rails'].version >= Gem::Version.new('5.2.0')
+    it "adds nonce to the script tag" do
+      visit '/'
+      expect(page).to have_selector('script[src^="/assets/xray"][nonce]')
+      expect(page.find('script[src^="/assets/xray"]')[:nonce]).to eq page.find('meta[name="csp-nonce"]')[:content]
+    end
+  end
+
   it "injects the xray bar into the response" do
     visit '/'
     expect(page).to have_selector('#xray-bar')