rails-template icon indicating copy to clipboard operation
rails-template copied to clipboard
verified publisher icon ackama

Should we change how we generate our CSP nonce?

Open G-Rath opened this issue 9 months ago • 3 comments

Currently we generate our nonce with a completely random value each time:

config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }

However, Rails 8 uses the request.session.id:

config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }

I believe technically this could mean more reuse in the generator, as the session id assumingly is reused across all requests for the particular session, but I'm not sure if that actually matters (nor if it means that the actual nonce will be the same for all requests), and it might be nicer if we're aligned with the rails default for future upgrades

G-Rath avatar Mar 16 '25 21:03 G-Rath

Unless we have an actual compelling reason to not do what Rails does, I'd prefer we stick with what Rails would normally do.

joshmcarthur avatar Mar 20 '25 20:03 joshmcarthur

The pros and cons of both solutions are discussed in the Rails guide. I also lean towards what Rails does by default.

lukeify avatar Mar 20 '25 22:03 lukeify

We've decided to switch to the Rails default since we don't think there's an immediate or significant security issue and it means a slightly smaller diff for future Rails upgrades

G-Rath avatar Mar 21 '25 02:03 G-Rath