Skip to content

Demonstrate that ReactOnRails client-side rendering script CSP compatibility #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Demonstrate that ReactOnRails client-side rendering script CSP compatibility #66

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Gemfile.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,7 @@ GEM

PLATFORMS
x86_64-darwin-22
x86_64-darwin-23
x86_64-linux

DEPENDENCIES
Expand Down
2 changes: 1 addition & 1 deletion app/views/hello_world/index.html.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
<h1>Hello, World!</h1>
<%= react_component("HelloWorld", props: @hello_world_props, prerender: true) %>
<%= react_component("HelloWorld", props: @hello_world_props, prerender: false) %>
26 changes: 13 additions & 13 deletions config/initializers/content_security_policy.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,25 +4,25 @@
# For further information see the following documentation
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

# Rails.application.config.content_security_policy do |policy|
# policy.default_src :self, :https
# policy.font_src :self, :https, :data
# policy.img_src :self, :https, :data
# policy.object_src :none
# policy.script_src :self, :https
# policy.style_src :self, :https
Rails.application.config.content_security_policy do |policy|
policy.default_src :self, :https
policy.font_src :self, :https, :data
policy.img_src :self, :https, :data
policy.object_src :none
policy.script_src :self, :https
policy.style_src :self, :https
Comment on lines +12 to +13
Copy link

@coderabbitai coderabbitai bot Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Overly permissive CSP policy weakens security guarantees.

The :https directive in script-src and style-src allows loading scripts and styles from any HTTPS source, which significantly undermines CSP protection. If an attacker can control any HTTPS URL referenced in your application (e.g., through URL parameters, user input, or compromised third-party sources), they can bypass CSP.

Consider one of these approaches:

  1. Remove :https and rely solely on nonces (once the nonce generator is fixed):
-  policy.script_src  :self, :https
-  policy.style_src   :self, :https
+  policy.script_src  :self
+  policy.style_src   :self
  1. Explicitly allowlist trusted CDN domains:
-  policy.script_src  :self, :https
-  policy.style_src   :self, :https
+  policy.script_src  :self, "https://cdn.jsdelivr.net"
+  policy.style_src   :self, "https://cdn.jsdelivr.net"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
policy.script_src :self, :https
policy.style_src :self, :https
policy.script_src :self
policy.style_src :self
Suggested change
policy.script_src :self, :https
policy.style_src :self, :https
policy.script_src :self, "https://cdn.jsdelivr.net"
policy.style_src :self, "https://cdn.jsdelivr.net"


# # Specify URI for violation reports
# # policy.report_uri "/csp-violation-report-endpoint"
# end
# Specify URI for violation reports
# policy.report_uri "/csp-violation-report-endpoint"
end

# If you are using UJS then enable automatic nonce generation
# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
Rails.application.config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
Copy link

@coderabbitai coderabbitai bot Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

CRITICAL: Session ID as CSP nonce is a major security vulnerability.

Using request.session.id.to_s as a CSP nonce completely undermines CSP protection. CSP nonces must be:

  1. Cryptographically random
  2. Unique per request (session IDs are reused across requests)
  3. Unpredictable (session IDs may be enumerable or leaked)

An attacker who obtains the session ID (through XSS, session fixation, network sniffing, etc.) can inject inline scripts/styles that will bypass CSP validation.

Apply this fix to use a cryptographically secure random nonce:

-Rails.application.config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
+Rails.application.config.content_security_policy_nonce_generator = ->(request) { SecureRandom.base64(16) }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Rails.application.config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
Rails.application.config.content_security_policy_nonce_generator = ->(request) { SecureRandom.base64(16) }
🤖 Prompt for AI Agents 
In config/initializers/content_security_policy.rb around line 20, replace the
use of request.session.id as the CSP nonce with a cryptographically secure,
per-request random value: generate a fresh secure random nonce (e.g. via
SecureRandom.urlsafe_base64 or SecureRandom.base64 with sufficient entropy)
inside the nonce_generator lambda so it is unique and unpredictable for each
request, do not persist it in the session or elsewhere, and ensure the rest of
your CSP setup uses that generated nonce for the script/style nonces.


# Set the nonce only to specific directives
# Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
Rails.application.config.content_security_policy_nonce_directives = %w(script-src style-src)

# Report CSP violations to a specified URI
# For further information see the following documentation:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
# Rails.application.config.content_security_policy_report_only = true
Rails.application.config.content_security_policy_report_only = true