Overview UI Broken Due to Nonce Whitelist

[ben-amplify]

Hi all, I hope this finds you well!

The security requirements for our app dictate that we must whitelist all JavaScript via the nonce attribute.

This breaks the "Live Poll" feature of Resque's UI (resque/overview), as it doesn't update or have CSS. I've looked into the documentation and issues here but have not found a solution.

Is there a way to add the nonce or edit the view? Or how can we get around this?

Thank you

[PatrickTulskie]

I've never had to do that before so I'm unfamiliar with that requirement. That said, you may want to take a look at the views here: https://github.com/resque/resque/tree/master/lib/resque/server/views

Depending on your security requirements you may need to do something custom or run a fork of the gem. I guess you could also extract the server portion of the gem and modify it for your usage in your system.

[ben-amplify]

Thanks for the reply Partick.
I now understand the change needed would look like this in lib/resque/server/views/layout.erb, where nonce is a variable set by the App's Application Controller

<script nonce="<%=nonce%>" src="<%=u 'jquery-3.6.0.min.js' %>" type="text/javascript"></script>

I tried to override the gem's view in the app directory like this but no combination (eg 'app/views/resque/layout.erb') I could find had any effect.

I guess mount Resque::Server.new, at: '/resque' in routes.rb stops this kind of thing from happening