Suggest a CSP that's compatible with Turbo + import map by dhh · Pull Request #4...

3 years ago

source link: https://github.com/rails/rails/pull/43227
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Copy link

Member

dhh commented 11 days ago

In order for CSP to work with Turbo and an import map, we need nonces to be generated, but if we use per-request nonces, we'll cause the default etags generated on the basis of the response html to constantly change. This essentially kills the benefit of our default etags. Seems like it's worth the slight security trade-off to suggest using session-based nonces.

Recommend

Requires selenium-webdriver 4.0.0 by ceritium · Pull Request #43270 · rails/rail...
Allow permitting numeric params by HParker · Pull Request #42501 · rails/rails ·...
We need concrete protections from artificial intelligence threatening human righ...
[ci skip] Add Bootstrap and Bulma to the CSS processors' list by alexandreruban...
Don't overwrite default opts in rich_text_area_tag by lmansur · Pull Request #43...
Novel beamforming network solution for single layer printed circuit board implem...
Avoid comment calls in pg:dump by jaynetics · Pull Request #43216 · rails/rails...
Adds support for deferrable foreign key constraints in PostgreSQL by benedikt ·...
Add Server Timing middleware by sebastians · Pull Request #36289 · rails/rails ·...
Let link_to infer link name from Model#to_s by olivierlacan · Pull Request #4223...

About Joyk

Aggregate valuable and interesting links.
Joyk means Joy of geeK