Date: 2024-06-25
Accepted
The Content-Security-Policy header generated by the secure_headers gem does not work with Rails UJS AJAX forms.
The Rails UJS AJAX forms might be used if this project does not use a full-on SPA library.
Using Rails built-in CSP controls while keeping SecureHeaders in place for other headers results in a secure system that works seamlessly.
In order to define an inline <script> tag, use the nonce: true option.
<%= javascript_tag nonce: true do %>
alert("my js runs here");
<% end %>
If you are outputting variables inside a nonce protected script tag, you could cancel out the XSS protection that CSP is giving you.
For example assume you have a URL such as /example/?id=123 and you are outputting that id value from the URL in your script block:
<%= javascript_tag nonce: true do %>
var id = <%= params[:id] %>
<% end %>
Now an attacker could request the URL: /example/?id=doSomethingBad(), and your application would send back:
<script nonce="rAnd0m">
var id = doSomethingBad()
</script>
As you can see we just threw away all of the cross site scripting protections of CSP by improperly using the nonce.