Add a config for auto-including nonce (rails#53835)

This config option `content_security_policy_nonce_auto` allows to automatically include a `nonce` to tags affected by the directives specified in the config option `content_security_policy_nonce_directives`. It requires `config.content_security_policy_nonce_generator` to be defined.

Author: francktrouillez

actionview/CHANGELOG.md

@@ -47,4 +47,8 @@
 
     *brendon*
 
+*   Add a new configuration `content_security_policy_nonce_auto` for automatically adding a nonce to the tags affected by the directives specified by the `content_security_policy_nonce_directives` configuration option.
+
+    *francktrouillez*
+
 Please check [8-0-stable](https://github.com/rails/rails/blob/8-0-stable/actionview/CHANGELOG.md) for previous changes.

actionview/lib/action_view/helpers/asset_tag_helper.rb

@@ -26,6 +26,8 @@ module AssetTagHelper
       mattr_accessor :image_decoding
       mattr_accessor :preload_links_header
       mattr_accessor :apply_stylesheet_media_default
+      mattr_accessor :auto_include_nonce_for_scripts
+      mattr_accessor :auto_include_nonce_for_styles
 
       # Returns an HTML script tag for each of the +sources+ provided.
       #
@@ -135,7 +137,7 @@ def javascript_include_tag(*sources)
             "src" => href,
             "crossorigin" => crossorigin
           }.merge!(options)
-          if tag_options["nonce"] == true
+          if tag_options["nonce"] == true || (!tag_options.key?("nonce") && auto_include_nonce_for_scripts)
             tag_options["nonce"] = content_security_policy_nonce
           end
           content_tag("script", "", tag_options)
@@ -225,7 +227,7 @@ def stylesheet_link_tag(*sources)
             "crossorigin" => crossorigin,
             "href" => href
           }.merge!(options)
-          if tag_options["nonce"] == true
+          if tag_options["nonce"] == true || (!tag_options.key?("nonce") && auto_include_nonce_for_styles)
             tag_options["nonce"] = content_security_policy_nonce
           end
 

actionview/lib/action_view/helpers/javascript_helper.rb

@@ -4,6 +4,8 @@ module ActionView
   module Helpers # :nodoc:
     # = Action View JavaScript \Helpers
     module JavaScriptHelper
+      mattr_accessor :auto_include_nonce
+
       JS_ESCAPE_MAP = {
         "\\"    => "\\\\",
         "</"    => '<\/',
@@ -81,7 +83,7 @@ def javascript_tag(content_or_options_with_block = nil, html_options = {}, &bloc
             content_or_options_with_block
           end
 
-        if html_options[:nonce] == true
+        if html_options[:nonce] == true || (!html_options.key?(:nonce) && auto_include_nonce)
           html_options[:nonce] = content_security_policy_nonce
         end
 

actionview/lib/action_view/railtie.rb

@@ -71,6 +71,12 @@ class Railtie < Rails::Engine # :nodoc:
       ActionView::Helpers::AssetTagHelper.apply_stylesheet_media_default = app.config.action_view.delete(:apply_stylesheet_media_default)
     end
 
+    config.after_initialize do |app|
+      ActionView::Helpers::AssetTagHelper.auto_include_nonce_for_scripts = app.config.content_security_policy_nonce_auto && app.config.content_security_policy_nonce_directives.intersect?(["script-src", "script-src-elem", "script-src-attr"]) && app.config.content_security_policy_nonce_generator.present?
+      ActionView::Helpers::AssetTagHelper.auto_include_nonce_for_styles = app.config.content_security_policy_nonce_auto && app.config.content_security_policy_nonce_directives.intersect?(["style-src", "style-src-elem", "style-src-attr"]) && app.config.content_security_policy_nonce_generator.present?
+      ActionView::Helpers::JavaScriptHelper.auto_include_nonce = app.config.content_security_policy_nonce_auto && app.config.content_security_policy_nonce_directives.intersect?(["script-src", "script-src-elem", "script-src-attr"]) && app.config.content_security_policy_nonce_generator.present?
+    end
+
     config.after_initialize do |app|
       ActiveSupport.on_load(:action_view) do
         app.config.action_view.each do |k, v|

actionview/test/template/asset_tag_helper_test.rb

@@ -15,6 +15,24 @@ def with_preload_links_header(new_preload_links_header = true)
   ensure
     ActionView::Helpers::AssetTagHelper.preload_links_header = original_preload_links_header
   end
+
+  def with_auto_include_nonce_for_scripts(new_auto_include_nonce_for_scripts = true)
+    original_auto_include_nonce_for_scripts = ActionView::Helpers::AssetTagHelper.auto_include_nonce_for_scripts
+    ActionView::Helpers::AssetTagHelper.auto_include_nonce_for_scripts = new_auto_include_nonce_for_scripts
+
+    yield
+  ensure
+    ActionView::Helpers::AssetTagHelper.auto_include_nonce_for_scripts = original_auto_include_nonce_for_scripts
+  end
+
+  def with_auto_include_nonce_for_styles(new_auto_include_nonce_for_styles = true)
+    original_auto_include_nonce_for_styles = ActionView::Helpers::AssetTagHelper.auto_include_nonce_for_styles
+    ActionView::Helpers::AssetTagHelper.auto_include_nonce_for_styles = new_auto_include_nonce_for_styles
+
+    yield
+  ensure
+    ActionView::Helpers::AssetTagHelper.auto_include_nonce_for_styles = original_auto_include_nonce_for_styles
+  end
 end
 
 class AssetTagHelperTest < ActionView::TestCase
@@ -540,6 +558,12 @@ def test_javascript_include_tag_nonce
     assert_dom_equal %(<script src="/javascripts/bank.js" nonce="iyhD0Yc0W+c="></script>), javascript_include_tag("bank", nonce: true)
   end
 
+  def test_javascript_include_tag_nonce_with_auto_nonce
+    with_auto_include_nonce_for_scripts do
+      assert_dom_equal %(<script src="/javascripts/bank.js" nonce="iyhD0Yc0W+c="></script>), javascript_include_tag("bank")
+    end
+  end
+
   def test_stylesheet_path
     StylePathToTag.each { |method, tag| assert_dom_equal(tag, eval(method)) }
   end
@@ -564,6 +588,12 @@ def test_stylesheet_link_tag_nonce
     assert_dom_equal %(<link rel="stylesheet" href="/stylesheets/foo.css" nonce="iyhD0Yc0W+c="></link>), stylesheet_link_tag("foo.css", nonce: true)
   end
 
+  def test_stylesheet_link_tag_nonce_with_auto_nonce
+    with_auto_include_nonce_for_styles do
+      assert_dom_equal %(<link rel="stylesheet" href="/stylesheets/foo.css" nonce="iyhD0Yc0W+c="></link>), stylesheet_link_tag("foo.css")
+    end
+  end
+
   def test_stylesheet_link_tag_with_missing_source
     assert_nothing_raised {
       stylesheet_link_tag("missing_security_guard")

actionview/test/template/javascript_helper_test.rb

@@ -10,6 +10,7 @@ class JavaScriptHelperTest < ActionView::TestCase
 
   setup do
     @old_escape_html_entities_in_json = ActiveSupport.escape_html_entities_in_json
+    @old_auto_include_nonce = ActionView::Helpers::JavaScriptHelper.auto_include_nonce
     ActiveSupport.escape_html_entities_in_json = true
     @template = self
     @request = Class.new do
@@ -19,6 +20,7 @@ def send_early_hints(links) end
 
   def teardown
     ActiveSupport.escape_html_entities_in_json = @old_escape_html_entities_in_json
+    ActionView::Helpers::JavaScriptHelper.auto_include_nonce = @old_auto_include_nonce
   end
 
   def test_escape_javascript
@@ -77,4 +79,12 @@ def test_javascript_tag_with_options
   def test_javascript_cdata_section
     assert_dom_equal "\n//<![CDATA[\nalert('hello')\n//]]>\n", javascript_cdata_section("alert('hello')")
   end
+
+  def test_javascript_tag_with_auto_nonce_for_content_security_policy
+    instance_eval { def content_security_policy_nonce = "iyhD0Yc0W+c=" }
+    ActionView::Helpers::JavaScriptHelper.auto_include_nonce = true
+
+    assert_dom_equal "<script nonce=\"iyhD0Yc0W+c=\">\n//<![CDATA[\nalert('hello')\n//]]>\n</script>",
+      javascript_tag("alert('hello')")
+  end
 end

guides/source/configuring.md

@@ -284,6 +284,10 @@ console do
 end
 ```
 
+#### `config.content_security_policy_nonce_auto`
+
+See [Adding a Nonce](security.html#adding-a-nonce) in the Security Guide
+
 #### `config.content_security_policy_nonce_directives`
 
 See [Adding a Nonce](security.html#adding-a-nonce) in the Security Guide

guides/source/security.md

@@ -1503,6 +1503,21 @@ The same works with `javascript_include_tag` and the `stylesheet_link_tag`:
 <%= stylesheet_link_tag "style.css", nonce: true %>
 ```
 
+To automatically attach a nonce to `javascript_tag`, `javascript_include_tag`, and
+`stylesheet_link_tag` if the corresponding directives are specified in `config.content_security_policy_nonce_directives`,
+you can set `config.content_security_policy_nonce_auto` to `true`:
+
+```ruby
+Rails.application.config.content_security_policy_nonce_auto = true
+```
+
+This is especially useful for 3rd-party views when using nonce-based source expressions
+in your Content Security Policy.
+
+NOTE: Be mindful of caching. Since the nonce is typically generated per request,
+enabling this may lead to cache fragmentation or stale content if your caching strategy
+doesn't account for dynamic nonces.
+
 Use [`csp_meta_tag`](https://api.rubyonrails.org/classes/ActionView/Helpers/CspHelper.html#method-i-csp_meta_tag)
 helper to create a meta tag "csp-nonce" with the per-session nonce value
 for allowing inline `<script>` tags.

railties/lib/rails/application/configuration.rb

@@ -21,6 +21,7 @@ class Configuration < ::Rails::Engine::Configuration
                     :beginning_of_week, :filter_redirect, :x,
                     :content_security_policy_report_only,
                     :content_security_policy_nonce_generator, :content_security_policy_nonce_directives,
+                    :content_security_policy_nonce_auto,
                     :require_master_key, :credentials, :disable_sandbox, :sandbox_by_default,
                     :add_autoload_paths_to_load_path, :rake_eager_load, :server_timing, :log_file_size,
                     :dom_testing_default_html_version, :yjit
@@ -72,6 +73,7 @@ def initialize(*)
         @content_security_policy_report_only     = false
         @content_security_policy_nonce_generator = nil
         @content_security_policy_nonce_directives = nil
+        @content_security_policy_nonce_auto      = false
         @require_master_key                      = false
         @loaded_config_version                   = nil
         @credentials                             = ActiveSupport::InheritableOptions.new(credentials_defaults)

railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt

@@ -20,6 +20,10 @@
 #   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
 #   config.content_security_policy_nonce_directives = %w(script-src style-src)
 #
+#   # Automatically add `nonce` to `javascript_tag`, `javascript_include_tag`, and `stylesheet_link_tag`
+#   # if the corresponding directives are specified in `content_security_policy_nonce_directives`.
+#   # config.content_security_policy_nonce_auto = true
+#
 #   # Report violations without enforcing the policy.
 #   # config.content_security_policy_report_only = true
 # end