Merge pull request #292 from twitter/view_helper

oreoshake · web-flow · commit 7801462a4ea6 · 2016-09-29T11:06:27.000-10:00
add content_security_policy_script/style_nonce to view helper
diff --git a/lib/secure_headers/view_helper.rb b/lib/secure_headers/view_helper.rb
@@ -34,6 +34,14 @@ def content_security_policy_nonce(type)
       end
     end
 
+    def content_security_policy_script_nonce
+      content_security_policy_nonce(:script)
+    end
+
+    def content_security_policy_style_nonce
+      content_security_policy_nonce(:style)
+    end
+
     ##
     # Checks to see if the hashed code is expected and adds the hash source
     # value to the current CSP.
diff --git a/spec/lib/secure_headers/view_helpers_spec.rb b/spec/lib/secure_headers/view_helpers_spec.rb
@@ -27,6 +27,16 @@ def self.template
     background-color: black;
   }
 <% end %>
+
+<script nonce="<%= content_security_policy_script_nonce %>">
+  alert(1)
+</script>
+
+<style nonce="<%= content_security_policy_style_nonce %>">
+  body {
+    background-color: black;
+  }
+</style>
 <%= @name %>
 
 TEMPLATE
