Conversation
There was a problem hiding this comment.
does the nonced_javascript_tag method need a block? we might be able to simplify this to:
<%= nonced_javascript_tag src: dap_source, async: true, id: '_fed_an_ua_tag' %>There was a problem hiding this comment.
Weirdly enough, it does. Although the method signature contains a parameter called 'content_or_options', it will always try and put the first argument into the tag as content, unless you also supply a block. See the code here.
I verified this by just passing hash to nonced_javascript_tag, and the method shown above tried to call html_safe on it. Passing a string 'works', although it's put inside the tag as content.
There was a problem hiding this comment.
My ruby / rails is a little rusty so maybe there is a more appropriate way to use the library...but this seems to resolve the issue
There was a problem hiding this comment.
if it works, it works ¯\_(ツ)_/¯
There was a problem hiding this comment.
This should be '<%= Figaro.env.google_analytics_key %>' since you converted it from Slim to ERB.
|
Other than the ERB variable fix, I think this looks good. I tested it locally by setting |
**Why**: Our Content Security Policy dictates that external resources that execute inline, such as javascript or css won't be loaded by the browser unless we add nonces are added to the tags in question **How**: - Updates CSP config to include additional domain from which content is loaded - Uses nonced_javascript_tag where necessary - Alters GA script to set on nonce on the dynamic script tag Use erb syntax in google analytics partial **Why**: I updated the file type from slim to erb, but neglected to change the the variable interpolation around the analytics key
el-mapache
force-pushed
the
ab-csp-errors
branch
from
b41f3a2 to
d92e5cc
Compare
|
Hello! I know I am late to the game on this but curious: why was changing this to Was there something happening in the slim templates that we couldn't fix without converting? (tried to see if this was explained in the PR convo anywhere but couldn't find it) |
|
Yes! The same issue popped up here (PR), basically, I couldnt get the |
**Why**: Our Content Security Policy dictates that external resources that execute inline, such as javascript or css won't be loaded by the browser unless we add nonces are added to the tags in question **How**: - Updates CSP config to include additional domain from which content is loaded - Uses nonced_javascript_tag where necessary - Alters GA script to set on nonce on the dynamic script tag Use erb syntax in google analytics partial **Why**: I updated the file type from slim to erb, but neglected to change the the variable interpolation around the analytics key
**Why**: Our Content Security Policy dictates that external resources that execute inline, such as javascript or css won't be loaded by the browser unless we add nonces are added to the tags in question **How**: - Updates CSP config to include additional domain from which content is loaded - Uses nonced_javascript_tag where necessary - Alters GA script to set on nonce on the dynamic script tag Use erb syntax in google analytics partial **Why**: I updated the file type from slim to erb, but neglected to change the the variable interpolation around the analytics key
5 participants
Why:
Our Content Security Policy dictates that external resources that
execute inline, such as those loaded via
<script>or<style>tags,won't be loaded by the browser unless nonces are added to the tags in question.
How:
loaded