Support multiple sources in asset tag helpers

Author: paulfri

lib/secure_headers/view_helper.rb

@@ -19,7 +19,9 @@ def nonced_style_tag(content_or_options = {}, &block)
     #
     # Returns an html-safe link tag with the nonce attribute.
     def nonced_stylesheet_link_tag(*args, &block)
-      stylesheet_link_tag(*args, nonce: content_security_policy_nonce(:style), &block)
+      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
+
+      stylesheet_link_tag(*args, opts, &block)
     end
 
     # Public: create a script tag using the content security policy nonce.
@@ -34,24 +36,30 @@ def nonced_javascript_tag(content_or_options = {}, &block)
     # Instructs secure_headers to append a nonce to script-src directive.
     #
     # Returns an html-safe script tag with the nonce attribute.
-    def nonced_javascript_include_tag(*args, **kwargs, &block)
-      javascript_include_tag(*args, kwargs.merge(nonce: content_security_policy_nonce(:script)), &block)
+    def nonced_javascript_include_tag(*args, &block)
+      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
+
+      javascript_include_tag(*args, opts, &block)
     end
 
     # Public: create a script Webpacker pack tag using the content security policy nonce.
     # Instructs secure_headers to append a nonce to script-src directive.
     #
     # Returns an html-safe script tag with the nonce attribute.
-    def nonced_javascript_pack_tag(*args, **kwargs, &block)
-      javascript_pack_tag(*args, kwargs.merge(nonce: content_security_policy_nonce(:script)), &block)
+    def nonced_javascript_pack_tag(*args, &block)
+      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
+
+      javascript_pack_tag(*args, opts, &block)
     end
 
     # Public: create a stylesheet Webpacker link tag using the content security policy nonce.
     # Instructs secure_headers to append a nonce to style-src directive.
     #
     # Returns an html-safe link tag with the nonce attribute.
-    def nonced_stylesheet_pack_tag(*args, **kwargs, &block)
-      stylesheet_pack_tag(*args, kwargs.merge(nonce: content_security_policy_nonce(:style)), &block)
+    def nonced_stylesheet_pack_tag(*args, &block)
+      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
+
+      stylesheet_pack_tag(*args, opts, &block)
     end
 
     # Public: use the content security policy nonce for this request directly.
@@ -146,6 +154,14 @@ def nonced_tag(type, content_or_options, block)
       end
       content_tag type, content, options.merge(nonce: content_security_policy_nonce(type))
     end
+
+    def extract_options(args)
+      if args.last.is_a? Hash
+        args.pop
+      else
+        {}
+      end
+    end
   end
 end
 

spec/lib/secure_headers/view_helpers_spec.rb

@@ -39,13 +39,13 @@ def self.template
   }
 </style>
 
-<%= nonced_javascript_include_tag "include.js" %>
+<%= nonced_javascript_include_tag "include.js", defer: true %>
 
-<%= nonced_javascript_pack_tag "pack.js", defer: true %>
+<%= nonced_javascript_pack_tag "pack.js", "otherpack.js", defer: true %>
 
-<%= nonced_stylesheet_link_tag "link.css" %>
+<%= nonced_stylesheet_link_tag "link.css", media: :all %>
 
-<%= nonced_stylesheet_pack_tag "pack.css", media: :all %>
+<%= nonced_stylesheet_pack_tag "pack.css", "otherpack.css", media: :all %>
 
 TEMPLATE
   end
@@ -72,14 +72,18 @@ def content_tag(type, content = nil, options = nil, &block)
     "<#{type}#{options}>#{content}</#{type}>"
   end
 
-  def javascript_include_tag(source, options = {})
-    content_tag(:script, nil, options.merge(src: source))
+  def javascript_include_tag(*sources, **options)
+    sources.map do |source|
+      content_tag(:script, nil, options.merge(src: source))
+    end
   end
 
   alias_method :javascript_pack_tag, :javascript_include_tag
 
-  def stylesheet_link_tag(source, options = {})
-    content_tag(:link, nil, options.merge(href: source, rel: "stylesheet", media: "screen"))
+  def stylesheet_link_tag(*sources, **options)
+    sources.map do |source|
+      content_tag(:link, nil, options.merge(href: source, rel: "stylesheet", media: "screen"))
+    end
   end
 
   alias_method :stylesheet_pack_tag, :stylesheet_link_tag