Skip to content

Add manual CSP nonce and sha-256 support #163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Feb 8, 2016
Merged

Add manual CSP nonce and sha-256 support #163

merged 4 commits into from
Feb 8, 2016

Conversation

sid77
Copy link
Contributor

@sid77 sid77 commented Feb 8, 2016

This PR adds manual insertion of a CSP nonce and retrieve of CSP sha-256 source code hash.

Marco Bonetti added 4 commits February 5, 2016 10:52
Add CSP SHA-256 generation - part I
ccbf0db 
=== Original Commits ===

Add ./vendor/* to .gitingore for local installs

In-line intercom settings script

Move code generation inside intercom_javascript helper function and in-line it

Also remove extra </script>

Add csp_sha256 method

IN-LINE ALL THE CODE!

Test csp_sha256 for default values
Add CSP SHA-256 generation - part II
f7ac670 
=== Original Commits ===
Re-add back the IntercomSettingsScriptTag id

Update spec for checking for id="IntercomSettingsScriptTag"

Use .to_s instead of .output

Update spec and add testing for helper generated csp sha as well
Nuke ScriptTag.generate()
a6d0424
Add CSP nonce support
5e6b944
@bobjflong
Copy link
Contributor

this looks great! Could you check why CI is failing?

@sid77
Copy link
Contributor Author

sid77 commented Feb 8, 2016

bundle install is failing with the error NoMethodError: undefined method spec' for nil:NilClasswhen runningbundle install` on ruby 1.9.3 and 2.1.2 (?)

@sid77
Copy link
Contributor Author

sid77 commented Feb 8, 2016

works for me(tm) with boxen rvm and ruby 1.9.3:

marco@marcobook:~/src/intercom-rails% rvm install 1.9.3-p551
Downloading ruby-1.9.3-p551.tar.gz...
-> https://dqw8nmjcqpjn7.cloudfront.net/bb5be55cd1f49c95bb05b6f587701376b53d310eb1bb7c76fbd445a1c75b51e8
Installing ruby-1.9.3-p551...
Installed ruby-1.9.3-p551 to /opt/boxen/rbenv/versions/1.9.3-p551
marco@marcobook:~/src/intercom-rails% rvm rehash
marco@marcobook:~/src/intercom-rails% rvm versions
* system (set by /opt/boxen/rbenv/version)
  1.9.3-p551
  2.1.7
  2.2.3
marco@marcobook:~/src/intercom-rails% rbenv global 1.9.3-p551
marco@marcobook:~/src/intercom-rails% ruby --version
ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-darwin15.3.0]
marco@marcobook:~/src/intercom-rails% gem install bundle
Fetching: bundler-1.11.2.gem (100%)
Fetching: bundle-0.0.1.gem (100%)
Successfully installed bundler-1.11.2
Successfully installed bundle-0.0.1
2 gems installed
marco@marcobook:~/src/intercom-rails% bundle install
Fetching gem metadata from http://rubygems.org/............
Fetching version metadata from http://rubygems.org/...
Fetching dependency metadata from http://rubygems.org/..
Resolving dependencies...
Rubygems 1.8.23.2 is not threadsafe, so your gems will be installed one at a time. Upgrade to Rubygems 2.1.0 or higher to enable parallel gem installation.
Installing rake 10.1.0
Installing i18n 0.6.1
Installing multi_json 1.7.7
Installing builder 3.0.4
Installing erubis 2.7.0
Installing journey 1.0.4
Installing rack 1.4.5
Installing hike 1.2.3
Installing tilt 1.4.1
Installing coderay 1.0.9
Installing daemons 1.1.9
Installing diff-lcs 1.2.5
Installing eventmachine 1.0.3 with native extensions
Installing gem-release 0.7.3
Installing json 1.8.1 with native extensions
Installing method_source 0.8.1
Installing slop 3.4.5
Installing thor 0.19.1
Installing rspec-support 3.1.0
Installing tzinfo 1.0.0
Using bundler 1.11.2
Installing activesupport 3.2.13
Installing rack-cache 1.2
Installing rack-test 0.6.2
Installing rack-protection 1.5.3
Installing rack-ssl 1.3.4
Installing sprockets 2.2.2
Installing thin 1.6.2 with native extensions
Installing rdoc 3.12.2
Installing pry 0.9.12.2
Installing rspec-core 3.1.4
Installing rspec-expectations 3.1.1
Installing rspec-mocks 3.1.1
Installing activemodel 3.2.13
Using intercom-rails 0.2.29 from source at `.`
Installing sinatra 1.4.5
Installing rspec 3.1.0
Installing actionpack 3.2.13
Installing railties 3.2.13
Installing rspec-rails 3.1.0
Bundle complete! 10 Gemfile dependencies, 40 gems now installed.
Bundled gems are installed into ./vendor/bundle.
Post-install message from tzinfo:

TZInfo Timezone Data has Moved
==============================

The timezone data previously included with TZInfo as Ruby modules has now been
moved to a separate tzinfo-data gem. TZInfo also now supports using the system
zoneinfo files on Linux, Mac OS X and other Unix-like operating systems.

If you want to continue using the Ruby timezone modules, or you are using an
operating system that does not include zoneinfo files (such as
Microsoft Windows), you will need to install tzinfo-data by running:

gem install tzinfo-data

If tzinfo-data is installed then TZInfo will use the Ruby timezone modules.
Otherwise, it will attempt to find the system zoneinfo files. Please refer to
the TZInfo documentation (available from https://rubygems.org/gems/tzinfo) for
further information.

Post-install message from rdoc:
Depending on your version of ruby, you may need to install ruby rdoc/ri data:

<= 1.8.6 : unsupported
 = 1.8.7 : gem install rdoc-data; rdoc-data --install
 = 1.9.1 : gem install rdoc-data; rdoc-data --install
>= 1.9.2 : nothing to do! Yay!
marco@marcobook:~/src/intercom-rails%

Starting a build of 2.1.2 right now, not sure it will be much different though 💭

@sid77
Copy link
Contributor Author

sid77 commented Feb 8, 2016

ruby 2.1.2 works as well:

marco@marcobook:~/src/intercom-rails% rvm install 2.1.2
Downloading ruby-2.1.2.tar.gz...
-> https://dqw8nmjcqpjn7.cloudfront.net/f22a6447811a81f3c808d1c2a5ce3b5f5f0955c68c9a749182feb425589e6635
Installing ruby-2.1.2...
Installed ruby-2.1.2 to /opt/boxen/rbenv/versions/2.1.2

marco@marcobook:~/src/intercom-rails% rvm rehash
marco@marcobook:~/src/intercom-rails% rvm global 2.1.2
marco@marcobook:~/src/intercom-rails% gem install bundle
Fetching: bundler-1.11.2.gem (100%)
Successfully installed bundler-1.11.2
Fetching: bundle-0.0.1.gem (100%)
Successfully installed bundle-0.0.1
2 gems installed
marco@marcobook:~/src/intercom-rails% bundle install
Fetching gem metadata from http://rubygems.org/............
Fetching version metadata from http://rubygems.org/...
Fetching dependency metadata from http://rubygems.org/..
Resolving dependencies...
Using rake 10.1.0
Installing builder 3.0.4
Installing multi_json 1.7.7
Installing i18n 0.6.1
Installing journey 1.0.4
Installing erubis 2.7.0
Installing hike 1.2.3
Installing rack 1.4.5
Installing tilt 1.4.1
Installing coderay 1.0.9
Installing daemons 1.1.9
Installing diff-lcs 1.2.5
Using json 1.8.1
Installing gem-release 0.7.3
Installing eventmachine 1.0.3 with native extensions
Installing method_source 0.8.1
Installing slop 3.4.5
Installing thor 0.19.1
Installing rspec-support 3.1.0
Using bundler 1.11.2
Installing tzinfo 1.0.0
Installing activesupport 3.2.13
Installing rack-cache 1.2
Installing rack-test 0.6.2
Installing rack-ssl 1.3.4
Installing rack-protection 1.5.3
Installing sprockets 2.2.2
Installing rdoc 3.12.2
Installing pry 0.9.12.2
Installing rspec-core 3.1.4
Installing rspec-expectations 3.1.1
Installing rspec-mocks 3.1.1
Using intercom-rails 0.2.29 from source at `.`
Installing activemodel 3.2.13
Installing sinatra 1.4.5
Installing rspec 3.1.0
Installing actionpack 3.2.13
Installing thin 1.6.2 with native extensions
Installing railties 3.2.13
Installing rspec-rails 3.1.0
Bundle complete! 10 Gemfile dependencies, 40 gems now installed.
Bundled gems are installed into ./vendor/bundle.
Post-install message from tzinfo:

TZInfo Timezone Data has Moved
==============================

The timezone data previously included with TZInfo as Ruby modules has now been
moved to a separate tzinfo-data gem. TZInfo also now supports using the system
zoneinfo files on Linux, Mac OS X and other Unix-like operating systems.

If you want to continue using the Ruby timezone modules, or you are using an
operating system that does not include zoneinfo files (such as
Microsoft Windows), you will need to install tzinfo-data by running:

gem install tzinfo-data

If tzinfo-data is installed then TZInfo will use the Ruby timezone modules.
Otherwise, it will attempt to find the system zoneinfo files. Please refer to
the TZInfo documentation (available from https://rubygems.org/gems/tzinfo) for
further information.

Post-install message from rdoc:
Depending on your version of ruby, you may need to install ruby rdoc/ri data:

<= 1.8.6 : unsupported
 = 1.8.7 : gem install rdoc-data; rdoc-data --install
 = 1.9.1 : gem install rdoc-data; rdoc-data --install
>= 1.9.2 : nothing to do! Yay!
marco@marcobook:~/src/intercom-rails%

@bobjflong
Copy link
Contributor

🚢

@sid77
Copy link
Contributor Author

sid77 commented Feb 8, 2016

After a bit more digging, it seems the builds are failing due to an outdated version of bundler for those two versions.
The issue is referenced in rubygems/bundler#3559 and fixed in rubygems/bundler@f4481a7 which is tagged as 1.11.2 (same version I get when running gem install bundle in my local tests).

sid77 added a commit that referenced this pull request Feb 8, 2016
@sid77
Merge pull request #163 from intercom/marco/csp_sha
14c5ae4 
Add manual CSP nonce and sha-256 support
@sid77 sid77 merged commit 14c5ae4 into master Feb 8, 2016
@sid77 sid77 deleted the marco/csp_sha branch February 9, 2016 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sid77 @bobjflong