New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fresh_when in combination with CSP not working since 7.0.2.4 #44974
Comments
Hey @fschwahn, thanks for the report! I believe the solution to this would be to change the Let me know if this works for you or if you have other questions! |
@skipkayhil Yes, I think you are correct. Changing the nonce generator as described in #44830 makes the test pass on both So this is more a fundamental incompatibility between this particular nonce generator, and conditional GET requests, and this just worked coincidentally due to the bug fixed in #44635. |
@skipkayhil one more question, the guide states
Is this true when using the default rails cookie session store? I assume it is, but the wording here makes me a bit uneasy 😅 |
I'm glad you asked! The wording is definitely intentional to ensure that a good configuration is used. The cookie store does use an encrypted cookie jar here:
Edit: actually after reading through more docs I found that the
|
Great - maybe this information could also be mentioned in the guide? After reading that segment I was not sure how to verify that this was indeed secure. If the rails defaults are already safe, this could eliminate some uncertainty. |
Steps to reproduce
Expected behavior
I'm not sure what's expected here, or if this is just fundamentally incompatible. Cached responses probably shouldn't include CSP headers?
Actual behavior
Since #44635 cached responses (using
fresh_when
) also return CSP headers, breaking JS in such pages.System configuration
Rails version: 7.2.0.4 (also affects 6.1.5.1, and probably all versions with above mentioned PR).
Ruby version: 2.7.4p191
The text was updated successfully, but these errors were encountered: