Fix hashtag column options styling (#14247)
* Enable nonces for stylesheets * Pass nonce to react-select
This commit is contained in:
parent
c3187411c2
commit
a783bdf4ad
|
@ -4,6 +4,7 @@ import ImmutablePropTypes from 'react-immutable-proptypes';
|
||||||
import { defineMessages, injectIntl, FormattedMessage } from 'react-intl';
|
import { defineMessages, injectIntl, FormattedMessage } from 'react-intl';
|
||||||
import Toggle from 'react-toggle';
|
import Toggle from 'react-toggle';
|
||||||
import AsyncSelect from 'react-select/async';
|
import AsyncSelect from 'react-select/async';
|
||||||
|
import { NonceProvider } from 'react-select';
|
||||||
import SettingToggle from '../../notifications/components/setting_toggle';
|
import SettingToggle from '../../notifications/components/setting_toggle';
|
||||||
|
|
||||||
const messages = defineMessages({
|
const messages = defineMessages({
|
||||||
|
@ -58,6 +59,7 @@ class ColumnSettings extends React.PureComponent {
|
||||||
{this.modeLabel(mode)}
|
{this.modeLabel(mode)}
|
||||||
</span>
|
</span>
|
||||||
|
|
||||||
|
<NonceProvider nonce={document.querySelector('meta[name=style-nonce]').content}>
|
||||||
<AsyncSelect
|
<AsyncSelect
|
||||||
isMulti
|
isMulti
|
||||||
autoFocus
|
autoFocus
|
||||||
|
@ -70,6 +72,7 @@ class ColumnSettings extends React.PureComponent {
|
||||||
placeholder={this.props.intl.formatMessage(messages.placeholder)}
|
placeholder={this.props.intl.formatMessage(messages.placeholder)}
|
||||||
noOptionsMessage={this.noOptionsMessage}
|
noOptionsMessage={this.noOptionsMessage}
|
||||||
/>
|
/>
|
||||||
|
</NonceProvider>
|
||||||
</div>
|
</div>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
|
@ -25,6 +25,7 @@
|
||||||
= javascript_pack_tag 'common', integrity: true, crossorigin: 'anonymous'
|
= javascript_pack_tag 'common', integrity: true, crossorigin: 'anonymous'
|
||||||
= javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous'
|
= javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous'
|
||||||
= csrf_meta_tags
|
= csrf_meta_tags
|
||||||
|
%meta{ name: 'style-nonce', content: request.content_security_policy_nonce }
|
||||||
|
|
||||||
= stylesheet_link_tag '/inert.css', skip_pipeline: true, media: 'all', id: 'inert-style'
|
= stylesheet_link_tag '/inert.css', skip_pipeline: true, media: 'all', id: 'inert-style'
|
||||||
|
|
||||||
|
|
|
@ -47,7 +47,25 @@ end
|
||||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
|
||||||
# Rails.application.config.content_security_policy_report_only = true
|
# Rails.application.config.content_security_policy_report_only = true
|
||||||
|
|
||||||
|
Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
|
||||||
|
|
||||||
|
# Monkey-patching Rails 5
|
||||||
|
module ActionDispatch
|
||||||
|
class ContentSecurityPolicy
|
||||||
|
def nonce_directive?(directive)
|
||||||
|
directive == 'style-src'
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
# Rails 6 would require the following instead:
|
||||||
|
# Rails.application.config.content_security_policy_nonce_directives = %w(style-src)
|
||||||
|
|
||||||
PgHero::HomeController.content_security_policy do |p|
|
PgHero::HomeController.content_security_policy do |p|
|
||||||
p.script_src :self, :unsafe_inline, assets_host
|
p.script_src :self, :unsafe_inline, assets_host
|
||||||
p.style_src :self, :unsafe_inline, assets_host
|
p.style_src :self, :unsafe_inline, assets_host
|
||||||
end
|
end
|
||||||
|
|
||||||
|
PgHero::HomeController.after_action do
|
||||||
|
request.content_security_policy_nonce_generator = nil
|
||||||
|
end
|
||||||
|
|
Loading…
Reference in a new issue