Merge pull request #373 from paulfri/webpacker-stylesheet-nonced-tag

Add missing `nonced_stylesheet_pack_tag`

Author: oreoshake

docs/per_action_configuration.md

@@ -72,6 +72,8 @@ body {
 <%= nonced_javascript_pack_tag "pack.js" %>
 
 <%= nonced_stylesheet_link_tag "link.css" %>
+
+<%= nonced_stylesheet_pack_tag "pack.css" %>
 ```
 
 becomes:
@@ -136,4 +138,4 @@ end
 class SessionsController < ApplicationController
   after_action  :clear_browser_cache, only: :destroy
 end
-```
+```

lib/secure_headers/view_helper.rb

@@ -19,7 +19,9 @@ def nonced_style_tag(content_or_options = {}, &block)
     #
     # Returns an html-safe link tag with the nonce attribute.
     def nonced_stylesheet_link_tag(*args, &block)
-      stylesheet_link_tag(*args, nonce: content_security_policy_nonce(:style), &block)
+      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
+
+      stylesheet_link_tag(*args, opts, &block)
     end
 
     # Public: create a script tag using the content security policy nonce.
@@ -35,15 +37,29 @@ def nonced_javascript_tag(content_or_options = {}, &block)
     #
     # Returns an html-safe script tag with the nonce attribute.
     def nonced_javascript_include_tag(*args, &block)
-      javascript_include_tag(*args, nonce: content_security_policy_nonce(:script), &block)
+      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
+
+      javascript_include_tag(*args, opts, &block)
     end
 
     # Public: create a script Webpacker pack tag using the content security policy nonce.
     # Instructs secure_headers to append a nonce to script-src directive.
     #
     # Returns an html-safe script tag with the nonce attribute.
     def nonced_javascript_pack_tag(*args, &block)
-      javascript_pack_tag(*args, nonce: content_security_policy_nonce(:script), &block)
+      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
+
+      javascript_pack_tag(*args, opts, &block)
+    end
+
+    # Public: create a stylesheet Webpacker link tag using the content security policy nonce.
+    # Instructs secure_headers to append a nonce to style-src directive.
+    #
+    # Returns an html-safe link tag with the nonce attribute.
+    def nonced_stylesheet_pack_tag(*args, &block)
+      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
+
+      stylesheet_pack_tag(*args, opts, &block)
     end
 
     # Public: use the content security policy nonce for this request directly.
@@ -138,6 +154,14 @@ def nonced_tag(type, content_or_options, block)
       end
       content_tag type, content, options.merge(nonce: content_security_policy_nonce(type))
     end
+
+    def extract_options(args)
+      if args.last.is_a? Hash
+        args.pop
+      else
+        {}
+      end
+    end
   end
 end
 

spec/lib/secure_headers/view_helpers_spec.rb

@@ -39,11 +39,13 @@ def self.template
   }
 </style>
 
-<%= nonced_javascript_include_tag "include.js" %>
+<%= nonced_javascript_include_tag "include.js", defer: true %>
 
-<%= nonced_javascript_pack_tag "pack.js" %>
+<%= nonced_javascript_pack_tag "pack.js", "otherpack.js", defer: true %>
 
-<%= nonced_stylesheet_link_tag "link.css" %>
+<%= nonced_stylesheet_link_tag "link.css", media: :all %>
+
+<%= nonced_stylesheet_pack_tag "pack.css", "otherpack.css", media: :all %>
 
 TEMPLATE
   end
@@ -70,16 +72,22 @@ def content_tag(type, content = nil, options = nil, &block)
     "<#{type}#{options}>#{content}</#{type}>"
   end
 
-  def javascript_include_tag(source, options = {})
-    content_tag(:script, nil, options.merge(src: source))
+  def javascript_include_tag(*sources, **options)
+    sources.map do |source|
+      content_tag(:script, nil, options.merge(src: source))
+    end
   end
 
   alias_method :javascript_pack_tag, :javascript_include_tag
 
-  def stylesheet_link_tag(source, options = {})
-    content_tag(:link, nil, options.merge(href: source, rel: "stylesheet", media: "screen"))
+  def stylesheet_link_tag(*sources, **options)
+    sources.map do |source|
+      content_tag(:link, nil, options.merge(href: source, rel: "stylesheet", media: "screen"))
+    end
   end
 
+  alias_method :stylesheet_pack_tag, :stylesheet_link_tag
+
   def result
     super(binding)
   end