You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I currently have a content security policy setup in my application, however it is not detected by bullet (I am running v7.0.7 of bullet). In order to investigate I went ahead and put a breakpoint in the bullet loader and discovered the following:
➜railsc[21,30]in ~/.rbenv/versions/3.2.1/lib/ruby/gems/3.2.0/gems/bullet-7.0.7/lib/bullet.rb21| autoload :NotificationCollector,'bullet/notification_collector'22|
23| ifdefined?(Rails::Railtie)24| classBulletRailtie < Rails::Railtie25| initializer'bullet.configure_rails_initialization'do |app|
=>26| debugger27| ifdefined?(ActionDispatch::ContentSecurityPolicy::Middleware) && Rails.application.config.content_security_policy28| app.middleware.insert_beforeActionDispatch::ContentSecurityPolicy::Middleware,Bullet::Rack29| else30| app.middleware.useBullet::Rack=>#0 block {|app=#<Kp20::Application>|} in <class:BulletRailtie> at ~/.rbenv/versions/3.2.1/lib/ruby/gems/3.2.0/gems/bullet-7.0.7/lib/bullet.rb:26#1 [C] BasicObject#instance_exec at ~/.rbenv/versions/3.2.1/lib/ruby/gems/3.2.0/gems/railties-7.0.4.3/lib/rails/initializable.rb:32# and 32 frames (use `bt' command for all frames)(ruby)Rails.application.config.content_security_policynil(rdbg)c# continue commandLoadingdevelopmentenvironment(Rails7.0.4.3)irb: warn: can't alias context from irb_context.irb(main):001:0> Rails.application.config.content_security_policy=> #<ActionDispatch::ContentSecurityPolicy:0x000000010b5864c8 @directives= {"default-src"=>["'self'", "https:"], "font-src"=>["'self'", "https:"], "img-src"=>["'self'", "https:", "data:"], "object-src"=>["'none'"], "script-src"=>["'self'", "https:"], "style-src"=>["'self'","https:"]}>
irb(main):002:0>
based on this it looks like bullet is loading too early and is ill positioned to actually detect whether the CSP middleware is loaded. In order to try to fix I tried moving the bullet initializer before and after the CSP loader but to no avail.
If I modify the bullet code to always call app.middleware.insert_before ActionDispatch::ContentSecurityPolicy::Middleware, Bullet::Rack then everything works properly, which confirms the issue is the loader not being able to detect the CSP.
The text was updated successfully, but these errors were encountered:
I've been running with Bullet.skip_html_injection = true in order to avoid this. Unfortunately that means no alerts in the browser but that was the best I could find.
I think a reasonable fix would be to remove the && Rails.application.config.content_security_policy check in the code - I don't see any downsides of inserting the Bullet::Rack middleware before ActionDispatch::ContentSecurityPolicy::Middleware
Here's an alternative, add this to your config/environments/development.rb:
MyApp::Application.configure do
...
config.content_security_policy { }
...
end
That will initialize an empty policy prior to bullet init which makes Rails.application.config.content_security_policy truthy. It still configs your real CSP afterwards so it seems to be safe.
I currently have a content security policy setup in my application, however it is not detected by bullet (I am running v7.0.7 of bullet). In order to investigate I went ahead and put a breakpoint in the bullet loader and discovered the following:
based on this it looks like bullet is loading too early and is ill positioned to actually detect whether the CSP middleware is loaded. In order to try to fix I tried moving the bullet initializer before and after the CSP loader but to no avail.
If I modify the bullet code to always call
app.middleware.insert_before ActionDispatch::ContentSecurityPolicy::Middleware, Bullet::Rack
then everything works properly, which confirms the issue is the loader not being able to detect the CSP.The text was updated successfully, but these errors were encountered: