Content Security Policy
Nonces
We allow inline style and script tags if there is a nonce attribute for the element.
For turbo caching to work, the CSP nonce must be consistent for the session, so we use a digest of the session id.
config.content_security_policy_nonce_generator = ->(request) { Digest::MD5.hexdigest( "nonce" + request.session.id.to_s ) }
config.content_security_policy_nonce_directives = %w[style-src script-src]
config.content_security_policy_nonce_auto = true
Set csp_meta_tag in header:
<head>
<%= csp_meta_tag %>
</head>
For stylesheets, you must use this:
<style nonce="<%= content_security_policy_nonce %>">
...
</style>
For javascript, you can use this:
<%= javascript_tag nonce: true do -%>
alert('Hello, World!');
<% end -%>