Add CSP nonce to graphiql-rails JavaScript

e078d515 · Stan Hu · 4d70537c · e078d515 · e078d515
Commit e078d515 authored Sep 11, 2019 by Stan Hu
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 3 deletions

Gemfile Gemfile +3 -1

app/views/graphiql/rails/editors/show.html.erb app/views/graphiql/rails/editors/show.html.erb +2 -2

No files found.
--- a/Gemfile
+++ b/Gemfile
@@ -84,7 +84,9 @@ gem 'rack-cors', '~> 1.0.0', require: 'rack/cors'
 # GraphQL API
 gem 'graphql', '~> 1.9.11'
-# TODO: remove app/views/graphiql/rails/editors/show.html.erb when https://github.com/rmosolgo/graphiql-rails/pull/71 will be released
+# NOTE: graphiql-rails v1.5+ doesn't work: https://gitlab.com/gitlab-org/gitlab-ce/issues/67293
+# TODO: remove app/views/graphiql/rails/editors/show.html.erb when https://github.com/rmosolgo/graphiql-rails/pull/71 is released:
+# https://gitlab.com/gitlab-org/gitlab-ce/issues/67263
 gem 'graphiql-rails', '~> 1.4.10'
 gem 'apollo_upload_server', '~> 2.0.0.beta3'
 gem 'graphql-docs', '~> 1.6.0', group: [:development, :test]

--- a/app/views/graphiql/rails/editors/show.html.erb
+++ b/app/views/graphiql/rails/editors/show.html.erb
@@ -10,7 +10,7 @@
    <div id="graphiql-container">
      Loading...
    </div>
-    <script>
+    <%= javascript_tag nonce: true do -%>
    var parameters = {};
    <% if GraphiQL::Rails.config.query_params %>
@@ -94,6 +94,6 @@
      }),
      document.getElementById("graphiql-container")
    );
-    </script>
+    <% end -%>
  </body>
 </html>