Add nonce to style tag

RobinDaugherty · RobinDaugherty · commit 2afa399ac5fc · 2020-12-13T09:29:00.000-05:00
diff --git a/Rakefile b/Rakefile
@@ -41,7 +41,7 @@ end
 namespace :style do
   desc "Build main.css from the SASS sources"
   task :build do
-    css = BetterErrors::ErrorPageStyle.compiled_style(true)
+    css = BetterErrors::ErrorPageStyle.compiled_css(true)
     File.open(File.expand_path("lib/better_errors/templates/main.css", File.dirname(__FILE__)), "w") do |f|
       f.write(css)
     end
diff --git a/lib/better_errors/error_page_style.rb b/lib/better_errors/error_page_style.rb
@@ -3,7 +3,7 @@
 module BetterErrors
   # @private
   module ErrorPageStyle
-    def self.compiled_style(for_deployment = false)
+    def self.compiled_css(for_deployment = false)
       style_dir = File.expand_path("style", File.dirname(__FILE__))
       style_file = "#{style_dir}/main.scss"
 
@@ -17,14 +17,14 @@ def self.compiled_style(for_deployment = false)
       engine.render
     end
 
-    def self.style_tag
+    def self.style_tag(csp_nonce)
       style_file = File.expand_path("templates/main.css", File.dirname(__FILE__))
       css = if File.exist?(style_file)
         File.open(style_file).read
       else
-        compiled_style(false)
+        compiled_css(false)
       end
-      "<style type='text/css'>\n#{css}\n</style>"
+      "<style type='text/css' nonce='#{csp_nonce}'>\n#{css}\n</style>"
     end
   end
 end
diff --git a/lib/better_errors/middleware.rb b/lib/better_errors/middleware.rb
@@ -119,8 +119,7 @@ def show_error_page(env, exception=nil)
           # for older browsers without nonce support.
           # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
           "script-src 'self' 'nonce-#{csp_nonce}' 'unsafe-inline'",
-          # Inline style is required by the syntax highlighter.
-          "style-src 'self' 'unsafe-inline'",
+          "style-src 'self' 'nonce-#{csp_nonce}' 'unsafe-inline'",
           "connect-src 'self'",
           "navigate-to 'self' #{BetterErrors.editor.scheme}",
         ].join('; '),
diff --git a/lib/better_errors/templates/main.erb b/lib/better_errors/templates/main.erb
@@ -5,7 +5,7 @@
 </head>
 <body class="better-errors-javascript-not-loaded">
     <%# Stylesheets are placed in the <body> for Turbolinks compatibility. %>
-    <%== ErrorPageStyle.style_tag %>
+    <%== ErrorPageStyle.style_tag(csp_nonce) %>
 
     <%# IE8 compatibility crap %>
     <script nonce="<%= csp_nonce %>">
