How to use CSP `nonce` option with Rails 5.2?

Question

How to use CSP `nonce` option with Rails 5.2?

Spone opened this issue 6 years ago · 3 comments

Since 5.2, Rails supports adding a nonce to script tags (see http://guides.rubyonrails.org/security.html#content-security-policy)

What's the recommended way to use it with gon? I managed to make it work with:

<%= javascript_tag nonce: true do -%>
  <%= include_gon(need_tag: false) -%>
<% end %>

but I'd rather do it in one line. Is there a way?

Answer 1 · 2018-07-11T19:00:29.000Z

Hello! There is an option for that https://github.com/gazay/gon/wiki/Options#nonce--foo

Answer 2 · 2018-07-13T10:10:38.000Z

Great! But I think you could update the documentation, as nonce generation is now included in Rails 5.2.

You no longer need to use secure_headers gem, you can just do:

<%= include_gon nonce: content_security_policy_nonce %>

Answer 3 · 2021-10-17T19:20:07.000Z

This works and also fix the issue when you use Turbolinks on Rails. You might get this response when Turbolinks makes HTTP requests "failed to load response data: No response with given identifier"

Great! But I think you could update the documentation, as nonce generation is now included in Rails 5.2.

You no longer need to use secure_headers gem, you can just do:
<%= include_gon nonce: content_security_policy_nonce %>