Fix CSP nonce support for flamegraph rendering

The flamegraph page was missing CSP nonce attributes on its inline script tags,
causing Content Security Policy violations when nonces were configured. This
change extracts the nonce retrieval logic into a shared method and applies it
consistently to both the main profiler UI and flamegraph pages.

Author: xrav3nz

CHANGELOG.md

@@ -1,5 +1,9 @@
 # CHANGELOG
 
+## Unreleased
+
+- [FIX] Add CSP nonce support to flamegraph rendering [#](https://github.com/MiniProfiler/rack-mini-profiler/pull/)
+
 ## 4.0 - 2025-06-11
 
 - [BREAKING CHANGE] Ruby version 3.1.0 or later is required. [#632](https://github.com/MiniProfiler/rack-mini-profiler/pull/632)

lib/mini_profiler/views.rb

@@ -10,6 +10,18 @@ def share_template
         @share_template ||= ERB.new(::File.read(::File.expand_path("../html/share.html", ::File.dirname(__FILE__))))
       end
 
+      def get_csp_nonce(env, response_headers = {})
+        configured_nonce = @config.content_security_policy_nonce
+        if configured_nonce && !configured_nonce.is_a?(String)
+          configured_nonce = configured_nonce.call(env, response_headers)
+        end
+
+        configured_nonce ||
+          env["action_dispatch.content_security_policy_nonce"] ||
+          env["secure_headers_content_security_policy_nonce"] ||
+          ""
+      end
+
       def generate_html(page_struct, env, result_json = page_struct.to_json)
         # double-assigning to suppress "assigned but unused variable" warnings
         path = path = "#{env['RACK_MINI_PROFILER_ORIGINAL_SCRIPT_NAME']}#{@config.base_url_path}"
@@ -39,15 +51,6 @@ def get_profile_script(env, response_headers = {})
         url = "#{path}includes.js?v=#{version}" if !url
         css_url = "#{path}includes.css?v=#{version}" if !css_url
 
-        configured_nonce = @config.content_security_policy_nonce
-        if configured_nonce && !configured_nonce.is_a?(String)
-          configured_nonce = configured_nonce.call(env, response_headers)
-        end
-
-        content_security_policy_nonce = configured_nonce ||
-                                        env["action_dispatch.content_security_policy_nonce"] ||
-                                        env["secure_headers_content_security_policy_nonce"]
-
         settings = {
          path: path,
          url: url,
@@ -66,7 +69,7 @@ def get_profile_script(env, response_headers = {})
          collapseResults: @config.collapse_results,
          htmlContainer: @config.html_container,
          hiddenCustomFields: @config.snapshot_hidden_custom_fields.join(','),
-         cspNonce: content_security_policy_nonce,
+         cspNonce: get_csp_nonce(env, response_headers),
          hotwireTurboDriveSupport: @config.enable_hotwire_turbo_drive_support,
         }
 
@@ -112,6 +115,8 @@ def make_link(postfix, env)
       def flamegraph(graph, path, env)
         headers = { 'content-type' => 'text/html' }
         iframe_src = "#{public_base_path(env)}speedscope/index.html"
+        csp_nonce = get_csp_nonce(env, headers)
+
         html = <<~HTML
           <!DOCTYPE html>
           <html>
@@ -123,7 +128,7 @@ def flamegraph(graph, path, env)
               </style>
             </head>
             <body>
-              <script type="text/javascript">
+              <script type="text/javascript" nonce="#{csp_nonce}">
                 var graph = #{JSON.generate(graph)};
                 var json = JSON.stringify(graph);
                 var blob = new Blob([json], { type: 'text/plain' });

spec/integration/middleware_spec.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'rack'
 require 'rack/test'
 require 'zlib'
 
@@ -280,5 +281,68 @@ def app
       expect(env["REQUEST_METHOD"]).to eq("GET")
       expect(response_headers["Content-Type"]).to eq("text/html")
     end
+
+  end
+
+  context 'flamegraph with CSP nonce' do
+    class CSPMiddleware
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        env["action_dispatch.content_security_policy_nonce"] = "railsflamenonce"
+        @app.call(env)
+      end
+    end
+
+    def app
+      Rack::Builder.new do
+        use CSPMiddleware
+        use Rack::MiniProfiler
+        run lambda { |env|
+          [200, { 'Content-Type' => 'text/html' }, ['<html><body><h1>Hello</h1></body></html>']]
+        }
+      end
+    end
+
+    def do_flamegraph_test
+      pid = fork do # Avoid polluting main process with stackprof
+        require 'stackprof'
+
+        get '/html?pp=async-flamegraph'
+        expect(last_response).to be_ok
+        flamegraph_path = last_response.headers['X-MiniProfiler-Flamegraph-Path']
+
+        get flamegraph_path
+        expect(last_response).to be_ok
+        yield last_response.body
+      end
+
+      Process.wait(pid)
+      expect($?.exitstatus).to eq(0)
+    end
+
+    it 'uses Rails value when available' do
+      do_flamegraph_test do |body|
+        expect(body).to include('<script type="text/javascript" nonce="railsflamenonce">')
+      end
+    end
+
+    it 'uses configured string when available' do
+      Rack::MiniProfiler.config.content_security_policy_nonce = "configuredflamenonce"
+
+      do_flamegraph_test do |body|
+        expect(body).to include('<script type="text/javascript" nonce="configuredflamenonce">')
+      end
+    end
+
+    it 'calls configured block when available' do
+      Rack::MiniProfiler.config.content_security_policy_nonce = Proc.new { "dynamicflamenonce" }
+
+      do_flamegraph_test do |body|
+        expect(body).to include('<script type="text/javascript" nonce="dynamicflamenonce">')
+      end
+    end
   end
 end