Failure to add rollbar.js to page

[spdawson]

I am seeing the following in my Rails production log, using v2.13.3

Rollbar.js could not be added because undefined method `current_csp' for #<SecureHeaders::Configuration:0x000000051576d8> exception

This is after upgrading secure_headers from v3.4.1 to v3.5.0 --- the current_csp method has been removed. Overall, I can't help feeling that the secure_headers integration in the Rollbar gem is just trying to be a little too clever. I would much prefer to see a configuration option to disable the use of script nonces, rather than the current attempt to "do the right thing" with respect to the prevailing CSP.

[stclairdaniel]

Thanks for bringing this attention as well. We'll look into this and get back to you soon. Sorry for the delay.

[markoudev]

The lastest release of the Rollbar gem 2.14.0 doesn't seem to fix this. Are there any plans on fixing this in the next release?

Using rollbar-2.14.0 and secure_headers-3.5.1.

[stclairdaniel]

Sorry for the delay. We expect to work on SecureHeaders and the Rollbar gem soon.

[jcmuller]

I found the issue, or at least for us: we have secure headers, but we don't use CSP. A fix that works for us is here: https://github.com/rollbar/rollbar-gem/pull/565

[spdawson]

An alternative workaround is to monkey patch Rollbar to kill the script tag nonces; add the following to e.g. config/initializers/rollbar.rb

# Monkey patch Rollbar to prevent it from adding script tag nonces
require 'rollbar/middleware/js'
class Rollbar::Middleware::Js
  def append_nonce?
    false
  end
end

[rokob]

Related to #569

[richardsondx]

Still getting this error on: 'rails', '4.2.0' rollbar (3.1.1) secure_headers (6.3.0) ruby 2.3.0

[Rollbar] Rollbar.js could not be added because undefined method `to_a' for #<SecureHeaders::NoOpHeaderConfig:0x007fd1de550480>
Did you mean?  to_yaml
               to_s
               to_param
               to_h exception