Violates CSP `unsafe-inline` rule

[chrisnicola]

While I get that this isn't a huge deal in development, I'd prefer if the CSP rules in development mode mostly matched the ones I'd like to use in production so that developers know if they are violating CSP rules.

This script is the main problem, assuming SWF is off.

<script type="text/javascript">
  RACK_LIVERELOAD_PORT = 35729;
</script>

I'm trying to think of ways this could be done without an inline script. Possibly a data attribute?

[ryenski]

This is going to be an issue with Rails 5.2, which includes CSP policy by default. See rails/rails#31162 (comment)

[pixeltrix]

One suggestion is to use nonce values for the script tags and dynamically modify the CSP header in the middleware

[coolsoftwaretyler]

I've got a project that uses a restrictive CSP in development, and it'd be great to have a solution other than conditionally allowing this through the CSP in the dev environment.

Anyone working on this? Is it worth it for me to dig in, myself?

[denzelem]

With the Webpack integration in Rails this issue becomes less important, as many people using the live reload mechanism of the webpack dev server. So guard-livereload + rack-livereload is only required, if you want to live reload e.g. the text in views.

Still here is an unfinished code example, that might be used to prepare a PR to https://github.com/jaredmdobson/rack-livereload
(this repo here is deprecated). Unfortunately jaredmdobson/rack-livereload does not allow issues, to ask if a PR is welcome.

lib/ext/rack_livereload/body_processor.rb

if Rails.env.development?

  module BodyProcessorExtension
    def process!(env)
      @content_security_policy_nonce = if ActionDispatch::Request.new(env).respond_to?(:content_security_policy_nonce)
        ActionDispatch::Request.new(env).content_security_policy_nonce
      end

      super
    end

    def template
      template_path = Rails.root.join('lib', 'ext', 'rack_livereload', 'skel', 'livereload.html.erb')

      ERB.new(::File.read(template_path))
    end
  end

  Rack::LiveReload::BodyProcessor.prepend(BodyProcessorExtension)

end

lib/ext/rack_livereload/skel/livereload.html.erb

<% if with_swf? %>
  <script type="text/javascript" nonce="<%= @content_security_policy_nonce %>">
      WEB_SOCKET_SWF_LOCATION = "/__rack/WebSocketMain.swf";
      <% if force_swf? %>
      WEB_SOCKET_FORCE_FLASH = true;
      <% end %>
  </script>
  <script type="text/javascript" src="<%= app_root %>/__rack/swfobject.js"></script>
  <script type="text/javascript" src="<%= app_root %>/__rack/web_socket.js"></script>
<% end %>
<script type="text/javascript" nonce="<%= @content_security_policy_nonce %>">
    RACK_LIVERELOAD_PORT = <%= @options[:live_reload_port] %>;
</script>
<script type="text/javascript" src="<%= livereload_source %>"></script>

This requires you to apply the following settings to the application:

Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }
Rails.application.config.content_security_policy_nonce_directives = %w(script-src)

Dir.glob(Rails.root.join('lib/ext/**/*.rb')).each do |filename|
  require filename
end