From 7602855fc19d302fa7446d532dd7c24e66d613aa Mon Sep 17 00:00:00 2001
From: Judah Meek <judah.meek@gmail.com>
Date: Wed, 5 Nov 2025 16:54:26 -0600
Subject: [PATCH] demonstrate that ReactOnRails client-side rendering scripts
 do not violate CSP

---
 Gemfile.lock                                  |  1 +
 app/views/hello_world/index.html.erb          |  2 +-
 .../initializers/content_security_policy.rb   | 26 +++++++++----------
 3 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 3c4dbe2..55b97b3 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -233,6 +233,7 @@ GEM
 
 PLATFORMS
   x86_64-darwin-22
+  x86_64-darwin-23
   x86_64-linux
 
 DEPENDENCIES
diff --git a/app/views/hello_world/index.html.erb b/app/views/hello_world/index.html.erb
index 8286490..f8e3c17 100644
--- a/app/views/hello_world/index.html.erb
+++ b/app/views/hello_world/index.html.erb
@@ -1,2 +1,2 @@
 <h1>Hello, World!</h1>
-<%= react_component("HelloWorld", props: @hello_world_props, prerender: true) %>
+<%= react_component("HelloWorld", props: @hello_world_props, prerender: false) %>
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 41c4301..69958b3 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -4,25 +4,25 @@
 # For further information see the following documentation
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
-# Rails.application.config.content_security_policy do |policy|
-#   policy.default_src :self, :https
-#   policy.font_src    :self, :https, :data
-#   policy.img_src     :self, :https, :data
-#   policy.object_src  :none
-#   policy.script_src  :self, :https
-#   policy.style_src   :self, :https
+Rails.application.config.content_security_policy do |policy|
+  policy.default_src :self, :https
+  policy.font_src    :self, :https, :data
+  policy.img_src     :self, :https, :data
+  policy.object_src  :none
+  policy.script_src  :self, :https
+  policy.style_src   :self, :https
 
-#   # Specify URI for violation reports
-#   # policy.report_uri "/csp-violation-report-endpoint"
-# end
+  # Specify URI for violation reports
+  # policy.report_uri "/csp-violation-report-endpoint"
+end
 
 # If you are using UJS then enable automatic nonce generation
-# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
+Rails.application.config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
 
 # Set the nonce only to specific directives
-# Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
+Rails.application.config.content_security_policy_nonce_directives = %w(script-src style-src)
 
 # Report CSP violations to a specified URI
 # For further information see the following documentation:
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
-# Rails.application.config.content_security_policy_report_only = true
+Rails.application.config.content_security_policy_report_only = true