Fix hashtag column options styling (#14247)

* Enable nonces for stylesheets * Pass nonce to react-select
3 years ago · a783bdf4ad
--- a/app/javascript/mastodon/features/hashtag_timeline/components/column_settings.js
+++ b/app/javascript/mastodon/features/hashtag_timeline/components/column_settings.js
@ -4,6 +4,7 @@ import ImmutablePropTypes from 'react-immutable-proptypes';
 import { defineMessages, injectIntl, FormattedMessage } from 'react-intl';
 import Toggle from 'react-toggle';
 import AsyncSelect from 'react-select/async';
 import { NonceProvider } from 'react-select';
 import SettingToggle from '../../notifications/components/setting_toggle';

 const messages = defineMessages({
@ -58,18 +59,20 @@ class ColumnSettings extends React.PureComponent {
          {this.modeLabel(mode)}
        </span>

        <AsyncSelect
          isMulti
          autoFocus
          value={this.tags(mode)}
          onChange={this.onSelect(mode)}
          loadOptions={this.props.onLoad}
          className='column-select__container'
          classNamePrefix='column-select'
          name='tags'
          placeholder={this.props.intl.formatMessage(messages.placeholder)}
          noOptionsMessage={this.noOptionsMessage}
        />
        <NonceProvider nonce={document.querySelector('meta[name=style-nonce]').content}>
          <AsyncSelect
            isMulti
            autoFocus
            value={this.tags(mode)}
            onChange={this.onSelect(mode)}
            loadOptions={this.props.onLoad}
            className='column-select__container'
            classNamePrefix='column-select'
            name='tags'
            placeholder={this.props.intl.formatMessage(messages.placeholder)}
            noOptionsMessage={this.noOptionsMessage}
          />
        </NonceProvider>
      </div>
    );
  }
--- a/app/views/layouts/application.html.haml
+++ b/app/views/layouts/application.html.haml
@ -25,6 +25,7 @@
    = javascript_pack_tag 'common', integrity: true, crossorigin: 'anonymous'
    = javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous'
    = csrf_meta_tags
    %meta{ name: 'style-nonce', content: request.content_security_policy_nonce }

    = stylesheet_link_tag '/inert.css', skip_pipeline: true, media: 'all', id: 'inert-style'

--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@ -47,7 +47,25 @@ end
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
 # Rails.application.config.content_security_policy_report_only = true

 Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }

 # Monkey-patching Rails 5
 module ActionDispatch
  class ContentSecurityPolicy
    def nonce_directive?(directive)
      directive == 'style-src'
    end
  end
 end

 # Rails 6 would require the following instead:
 # Rails.application.config.content_security_policy_nonce_directives = %w(style-src)

 PgHero::HomeController.content_security_policy do |p|
  p.script_src :self, :unsafe_inline, assets_host
  p.style_src  :self, :unsafe_inline, assets_host
 end

 PgHero::HomeController.after_action do
  request.content_security_policy_nonce_generator = nil
 end