Merge pull request rails#53794 from alexandergitter/preload-links-csp-nonce

Add CSP nonce to preload links

Author: byroot

actionview/lib/action_view/helpers/asset_tag_helper.rb

@@ -127,6 +127,7 @@ def javascript_include_tag(*sources)
             preload_link = "<#{href}>; rel=#{rel}; as=script"
             preload_link += "; crossorigin=#{crossorigin}" unless crossorigin.nil?
             preload_link += "; integrity=#{integrity}" unless integrity.nil?
+            preload_link += "; nonce=#{content_security_policy_nonce}" if options["nonce"] == true
             preload_link += "; nopush" if nopush
             preload_links << preload_link
           end
@@ -215,6 +216,7 @@ def stylesheet_link_tag(*sources)
             preload_link = "<#{href}>; rel=preload; as=style"
             preload_link += "; crossorigin=#{crossorigin}" unless crossorigin.nil?
             preload_link += "; integrity=#{integrity}" unless integrity.nil?
+            preload_link += "; nonce=#{content_security_policy_nonce}" if options["nonce"] == true
             preload_link += "; nopush" if nopush
             preload_links << preload_link
           end
@@ -362,6 +364,13 @@ def preload_link_tag(source, options = {})
         integrity = options[:integrity]
         nopush = options.delete(:nopush) || false
         rel = mime_type == "module" ? "modulepreload" : "preload"
+        add_nonce = content_security_policy_nonce &&
+          respond_to?(:request) &&
+          request.content_security_policy_nonce_directives&.include?("#{as_type}-src")
+
+        if add_nonce
+          options[:nonce] = content_security_policy_nonce
+        end
 
         link_tag = tag.link(
           rel: rel,
@@ -375,6 +384,7 @@ def preload_link_tag(source, options = {})
         preload_link += "; type=#{mime_type}" if mime_type
         preload_link += "; crossorigin=#{crossorigin}" if crossorigin
         preload_link += "; integrity=#{integrity}" if integrity
+        preload_link += "; nonce=#{content_security_policy_nonce}" if add_nonce
         preload_link += "; nopush" if nopush
 
         send_preload_links_header([preload_link])

actionview/test/template/asset_tag_helper_test.rb

@@ -25,7 +25,7 @@ class AssetTagHelperTest < ActionView::TestCase
   attr_reader :request, :response
 
   class FakeRequest
-    attr_accessor :script_name
+    attr_accessor :script_name, :content_security_policy_nonce_directives
     def protocol() "http://" end
     def ssl?() false end
     def host_with_port() "localhost" end
@@ -724,6 +724,27 @@ def test_should_set_preload_links_with_integrity_hashes
     end
   end
 
+  def test_should_set_preload_links_with_nonce
+    @request.content_security_policy_nonce_directives = %w(script-src)
+    with_preload_links_header do
+      preload_link_tag("http://example.com/preload.js")
+      stylesheet_link_tag("http://example.com/style.css", nonce: true)
+      javascript_include_tag("http://example.com/all.js", nonce: true)
+      expected = "<http://example.com/preload.js>; rel=preload; as=script; type=text/javascript; nonce=iyhD0Yc0W+c=,<http://example.com/style.css>; rel=preload; as=style; nonce=iyhD0Yc0W+c=; nopush,<http://example.com/all.js>; rel=preload; as=script; nonce=iyhD0Yc0W+c=; nopush"
+      assert_equal expected, @response.headers["link"]
+    end
+  end
+
+  def test_should_set_preload_link_tag_nonce_if_listed_in_csp_directives
+    @request.content_security_policy_nonce_directives = %w(script-src)
+    assert_equal %(<link rel="preload" href="/application.js" as="script" type="text/javascript" nonce="iyhD0Yc0W+c=">), preload_link_tag("/application.js")
+    assert_equal %(<link rel="preload" href="/style.css" as="style" type="text/css">), preload_link_tag("/style.css")
+
+    @request.content_security_policy_nonce_directives = %w(style-src)
+    assert_equal %(<link rel="preload" href="/application.js" as="script" type="text/javascript">), preload_link_tag("/application.js")
+    assert_equal %(<link rel="preload" href="/style.css" as="style" type="text/css" nonce="iyhD0Yc0W+c=">), preload_link_tag("/style.css")
+  end
+
   def test_should_not_preload_links_when_disabled
     with_preload_links_header(false) do
       stylesheet_link_tag("http://example.com/style.css")