DEV: Memoize CSP nonce placeholder on response (#25724)

That way, the same value is used even if the helper is called in the context of different controllers Followup to c8a1b49ddd
2024-02-16 12:15:55 +00:00 · 2024-02-16 12:15:55 +00:00 · 1672a24490
parent b1f74ab59e
commit 1672a24490
2 changed files with 6 additions and 7 deletions
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -66,12 +66,9 @@ module ApplicationHelper
  end
  def csp_nonce_placeholder
-    @csp_nonce_placeholder ||=
+    response.headers[
-      begin
+      ::Middleware::CspScriptNonceInjector::PLACEHOLDER_HEADER
-        placeholder = "[[csp_nonce_placeholder_#{SecureRandom.hex}]]"
+    ] ||= "[[csp_nonce_placeholder_#{SecureRandom.hex}]]"
        response.headers["Discourse-CSP-Nonce-Placeholder"] = placeholder
        placeholder
      end
  end
  def shared_session_key
--- a/lib/middleware/csp_script_nonce_injector.rb
+++ b/lib/middleware/csp_script_nonce_injector.rb
@ -2,6 +2,8 @@
 module Middleware
  class CspScriptNonceInjector
    PLACEHOLDER_HEADER = "Discourse-CSP-Nonce-Placeholder"
    def initialize(app, settings = {})
      @app = app
    end
@ -9,7 +11,7 @@ module Middleware
    def call(env)
      status, headers, response = @app.call(env)
-      if nonce_placeholder = headers.delete("Discourse-CSP-Nonce-Placeholder")
+      if nonce_placeholder = headers.delete(PLACEHOLDER_HEADER)
        nonce = SecureRandom.alphanumeric(25)
        parts = []
        response.each { |part| parts << part.to_s.gsub(nonce_placeholder, nonce) }