IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Don't reuse CSP nonce between anonymous requests

Browse Source
This commit is contained in:
OsamaSayegh
2023-07-28 12:53:44 +01:00
committed by David Taylor
parent 672f3e7e41
commit 0976c8fad6
15 changed files with 105 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/helpers/application_helper.rb
View File

@@ -64,8 +64,10 @@ module ApplicationHelper
google_universal_analytics_json
end
def self.google_tag_manager_nonce(env)
env[:discourse_content_security_policy_nonce] ||= SecureRandom.hex
def google_tag_manager_nonce_placeholder
placeholder = "[[csp_nonce_placeholder_#{SecureRandom.hex}]]"
response.headers["Discourse-GTM-Nonce-Placeholder"] = placeholder
placeholder
end
def shared_session_key

2
app/views/common/_google_tag_manager_head.html.erb
View File

@@ -1,6 +1,6 @@
<meta id="data-google-tag-manager"
data-data-layer="<%= google_tag_manager_json %>"
data-nonce="<%= ApplicationHelper.google_tag_manager_nonce(request.env) %>"
data-nonce="<%= google_tag_manager_nonce_placeholder %>"
data-container-id="<%= SiteSetting.gtm_container_id %>" />
<%= preload_script 'google-tag-manager' %>