From d1a2596889206679c88cd94f31eb39e8d262229f Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Wed, 6 Mar 2024 13:01:32 +0000
Subject: [PATCH] DEV: Allow CSP nonce_placeholder to be generated outside
 Rails (#26052)

Sometimes we add scripts outside of Rails. This commit provides a way to generate a nonce placeholder even if you don't have access to an ApplicationController instance.
---
 app/helpers/application_helper.rb | 4 +---
 lib/content_security_policy.rb    | 6 ++++++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 8de56d2622a..7be04964336 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -66,9 +66,7 @@ module ApplicationHelper
   end
 
   def csp_nonce_placeholder
-    response.headers[
-      ::Middleware::CspScriptNonceInjector::PLACEHOLDER_HEADER
-    ] ||= "[[csp_nonce_placeholder_#{SecureRandom.hex}]]"
+    ContentSecurityPolicy.nonce_placeholder(response.headers)
   end
 
   def shared_session_key
diff --git a/lib/content_security_policy.rb b/lib/content_security_policy.rb
index 107dc0437df..7f760c3b79d 100644
--- a/lib/content_security_policy.rb
+++ b/lib/content_security_policy.rb
@@ -7,6 +7,12 @@ class ContentSecurityPolicy
     def policy(theme_id = nil, base_url: Discourse.base_url, path_info: "/")
       new.build(theme_id, base_url: base_url, path_info: path_info)
     end
+
+    def nonce_placeholder(response_headers)
+      response_headers[
+        ::Middleware::CspScriptNonceInjector::PLACEHOLDER_HEADER
+      ] ||= "[[csp_nonce_placeholder_#{SecureRandom.hex}]]"
+    end
   end
 
   def build(theme_id, base_url:, path_info: "/")