-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle setting multiple headers of the same name (by using a comma-separate list) #323
Comments
I guess this is supported by just inserting |
I need help to randomise the part 'sha256-abc' |
SHAs are not to be random, they're supposed to be static. Dynamic hashes are not supported by design, at least not by this library. |
Meaning the SHA256-xxx the "xxx" value will be always static? this defeat the purpose of having sha256 on the setting tho. |
Are you thinking about the nonce feature? That generates a random number per request, included in the header, and allows you to use e.g. <%= nonced_javascript_tag do %>
console.log("nonced!");
<% end %>
<script nonce="<%= content_security_policy_nonce(:script) %>">
console.log("nonced!");
</script> The SHA is absolutely supposed to be static. If it's dynamically computed, it has no value. |
Feature Request
Rails does not allow you to set multiple headers with the same name, but CSP allows this. However, multiple headers that are comma separated can be used for the same effect.
This is an issue if you want to use the upcoming hashes for external sources feature AND restrict to a host:
Content-Security-Policy: script-src 'sha256-abc', script-src my.cdn.com
It will treat the
script-src
values as if they are separate policy, enforcing each individually.See https://twitter.com/mikewest/status/852252789690556417
The text was updated successfully, but these errors were encountered: