[openstreetmap/openstreetmap-website] Add Turbo to replace custom JS (PR #4562)
Gregory Igelmund
notifications at github.com
Thu Mar 21 10:59:33 UTC 2024
@grekko commented on this pull request.
> @@ -2,6 +2,7 @@
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1">
<%= javascript_include_tag "es6" unless browser.es6? %>
+ <%= javascript_include_tag "turbo", :type => "module" %>
> which sets the CSP nonce for turbo using secure_headers instead.
ok. I had to read up a bit on the `secure_headers`-gem CSP implementation and CSP generally.
I understand the the `csp_meta_tag` currently does nothing since its provided by Rails, which builds on Rails CSP configuration (currently nothing is configured in `config/initializers/content_security_policy.rb`).
`content_security_policy_style_nonce` is provided by `secure_headers` (here https://github.com/github/secure_headers/blob/7a23cb6b350b024a786e163e81c902552b9c484f/lib/secure_headers/view_helper.rb#L83-L85) and therefore the correct way to safelist certain inline styles.
I'll adjust the PR to reflect this. Thanks @tomhughes for pointing this out and please correct anything or add anything you think one should know.
As I've mentioned my understanding of CSP is still limited and I have not practical experiences yet.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/4562#discussion_r1533660273
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/pull/4562/review/1951799797 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20240321/55120c5c/attachment.htm>
More information about the rails-dev
mailing list