Commit f5a4140
Address PR #3934 review feedback on canary baseline and nonce escaping
- strict_csp.spec.ts: wait for the streamed content (header + both
Suspense branches at level 0) to be fully delivered before asserting
the zero-violation baseline in the enforcement-canary test. Previously
the baseline ran right after the load event, when streamed chunks
could still be in transit, making the pre-canary assertion vacuous.
- application_controller.rb: HTML-escape the CSP nonce before
interpolating it into the script tag attribute. Safe today with
Rails' base64/session generators, but the raw interpolation was a
copyable pattern that a custom nonce generator could break out of.
The docs page already shows only the safe helper-based patterns
(javascript_tag/javascript_include_tag with nonce: true), so no docs
change is needed.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>1 parent a65c757 commit f5a4140
2 files changed
Lines changed: 13 additions & 1 deletion
File tree
- react_on_rails_pro/spec/dummy
- app/controllers
- e2e-tests
Lines changed: 4 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
52 | 52 | | |
53 | 53 | | |
54 | 54 | | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
55 | 58 | | |
56 | | - | |
| 59 | + | |
57 | 60 | | |
58 | 61 | | |
59 | 62 | | |
| |||
Lines changed: 9 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
135 | 135 | | |
136 | 136 | | |
137 | 137 | | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
138 | 147 | | |
139 | 148 | | |
140 | 149 | | |
| |||
0 commit comments