1. 07 Aug, 2019 1 commit
    • Stan Hu's avatar
      Add support for Content-Security-Policy · be105fe2
      Stan Hu authored
      A nonce-based Content-Security-Policy thwarts XSS attacks by allowing
      inline JavaScript to execute if the script nonce matches the header
      value. Rails 5.2 supports nonce-based Content-Security-Policy headers,
      so provide configuration to enable this and make it work.
      
      To support this, we need to change all `:javascript` HAML filters to the
      following form:
      
      ```
      = javascript_tag nonce: true do
        :plain
          ...
      ```
      
      We use `%script` throughout our HAML to store JSON and other text, but
      since this doesn't execute, browsers don't appear to block this content
      from being used and require the nonce value to be present.
      be105fe2
  2. 06 Aug, 2019 6 commits
  3. 05 Aug, 2019 33 commits