forked from treehouse/mastodon
Fix hashtag column options styling (#14247)
* Enable nonces for stylesheets * Pass nonce to react-selectsignup-info-prompt
parent
c3187411c2
commit
a783bdf4ad
|
@ -4,6 +4,7 @@ import ImmutablePropTypes from 'react-immutable-proptypes';
|
|||
import { defineMessages, injectIntl, FormattedMessage } from 'react-intl';
|
||||
import Toggle from 'react-toggle';
|
||||
import AsyncSelect from 'react-select/async';
|
||||
import { NonceProvider } from 'react-select';
|
||||
import SettingToggle from '../../notifications/components/setting_toggle';
|
||||
|
||||
const messages = defineMessages({
|
||||
|
@ -58,6 +59,7 @@ class ColumnSettings extends React.PureComponent {
|
|||
{this.modeLabel(mode)}
|
||||
</span>
|
||||
|
||||
<NonceProvider nonce={document.querySelector('meta[name=style-nonce]').content}>
|
||||
<AsyncSelect
|
||||
isMulti
|
||||
autoFocus
|
||||
|
@ -70,6 +72,7 @@ class ColumnSettings extends React.PureComponent {
|
|||
placeholder={this.props.intl.formatMessage(messages.placeholder)}
|
||||
noOptionsMessage={this.noOptionsMessage}
|
||||
/>
|
||||
</NonceProvider>
|
||||
</div>
|
||||
);
|
||||
}
|
||||
|
|
|
@ -25,6 +25,7 @@
|
|||
= javascript_pack_tag 'common', integrity: true, crossorigin: 'anonymous'
|
||||
= javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous'
|
||||
= csrf_meta_tags
|
||||
%meta{ name: 'style-nonce', content: request.content_security_policy_nonce }
|
||||
|
||||
= stylesheet_link_tag '/inert.css', skip_pipeline: true, media: 'all', id: 'inert-style'
|
||||
|
||||
|
|
|
@ -47,7 +47,25 @@ end
|
|||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
|
||||
# Rails.application.config.content_security_policy_report_only = true
|
||||
|
||||
Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
|
||||
|
||||
# Monkey-patching Rails 5
|
||||
module ActionDispatch
|
||||
class ContentSecurityPolicy
|
||||
def nonce_directive?(directive)
|
||||
directive == 'style-src'
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Rails 6 would require the following instead:
|
||||
# Rails.application.config.content_security_policy_nonce_directives = %w(style-src)
|
||||
|
||||
PgHero::HomeController.content_security_policy do |p|
|
||||
p.script_src :self, :unsafe_inline, assets_host
|
||||
p.style_src :self, :unsafe_inline, assets_host
|
||||
end
|
||||
|
||||
PgHero::HomeController.after_action do
|
||||
request.content_security_policy_nonce_generator = nil
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue