From a783bdf4adee3444e9cd32c2eaa0712214ba1230 Mon Sep 17 00:00:00 2001 From: ThibG Date: Tue, 7 Jul 2020 01:33:38 +0200 Subject: [PATCH] Fix hashtag column options styling (#14247) * Enable nonces for stylesheets * Pass nonce to react-select --- .../components/column_settings.js | 27 ++++++++++--------- app/views/layouts/application.html.haml | 1 + .../initializers/content_security_policy.rb | 18 +++++++++++++ 3 files changed, 34 insertions(+), 12 deletions(-) diff --git a/app/javascript/mastodon/features/hashtag_timeline/components/column_settings.js b/app/javascript/mastodon/features/hashtag_timeline/components/column_settings.js index 956f16734..27300f020 100644 --- a/app/javascript/mastodon/features/hashtag_timeline/components/column_settings.js +++ b/app/javascript/mastodon/features/hashtag_timeline/components/column_settings.js @@ -4,6 +4,7 @@ import ImmutablePropTypes from 'react-immutable-proptypes'; import { defineMessages, injectIntl, FormattedMessage } from 'react-intl'; import Toggle from 'react-toggle'; import AsyncSelect from 'react-select/async'; +import { NonceProvider } from 'react-select'; import SettingToggle from '../../notifications/components/setting_toggle'; const messages = defineMessages({ @@ -58,18 +59,20 @@ class ColumnSettings extends React.PureComponent { {this.modeLabel(mode)} - + + + ); } diff --git a/app/views/layouts/application.html.haml b/app/views/layouts/application.html.haml index 39fa0678f..e32cdcabb 100755 --- a/app/views/layouts/application.html.haml +++ b/app/views/layouts/application.html.haml @@ -25,6 +25,7 @@ = javascript_pack_tag 'common', integrity: true, crossorigin: 'anonymous' = javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous' = csrf_meta_tags + %meta{ name: 'style-nonce', content: request.content_security_policy_nonce } = stylesheet_link_tag '/inert.css', skip_pipeline: true, media: 'all', id: 'inert-style' diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 7dcc028ab..98dc711e1 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -47,7 +47,25 @@ end # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only # Rails.application.config.content_security_policy_report_only = true +Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) } + +# Monkey-patching Rails 5 +module ActionDispatch + class ContentSecurityPolicy + def nonce_directive?(directive) + directive == 'style-src' + end + end +end + +# Rails 6 would require the following instead: +# Rails.application.config.content_security_policy_nonce_directives = %w(style-src) + PgHero::HomeController.content_security_policy do |p| p.script_src :self, :unsafe_inline, assets_host p.style_src :self, :unsafe_inline, assets_host end + +PgHero::HomeController.after_action do + request.content_security_policy_nonce_generator = nil +end