hanami 2.2.1 → 2.3.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f8538bd01b6c70d005b10ba4683326798d74af43f6e2999a98228176e9c4faeb
-  data.tar.gz: ebcb99c071cb38326509d1132fb06a3a5e2ed310fa77fdaf1fae020798293fca
+  metadata.gz: a8faef478dec45e673c25c67704b0fd7a363e784061412c64e96735040f2d07f
+  data.tar.gz: b88eac54b8ba6241645b616ba9eafd20d54edb888e7fca8abc9e310f414dabe5
 SHA512:
-  metadata.gz: 9f9c67c9648cd127a6f18781f1609869571b10ef6ca62e829cc300d6b4b0105e467656c08f59729edf519e8d92670131f53b3349e3093b47550683689199166c
-  data.tar.gz: aa13d4ab655a9d3a225e85b6c8c17c4cc2371a12dad72fe31eb08b1c27c709d0efa6abd9a020a5275af1cebd56b54e821409fe572ca51f1130fd9b579c18c35b
+  metadata.gz: 8233b2e453669ae1528c3cadd8032cbff3a7337c590bb0962d307ddd71bb8b18e28f56cc19a5644225efaf0ad0bfa2f5a008dd8fbae2615a9bc819906e47e1cc
+  data.tar.gz: 07551dada781667f44be90593599a0f505e9580d82d98c70df4e18e4288651e68fb26130d3504bf228dd2b7d2237af7494d7cfac86cd06ece733920657adfa83

data/CHANGELOG.md

@@ -1,6 +1,38 @@
 # Hanami
 
-The web, with simplicity.
+## [Unreleased]
+
+### Added
+
+### Changed
+
+### Deprecated
+
+### Removed
+
+### Fixed
+
+### Security
+
+## [v2.3.0.beta1] - 2025-10-03
+
+### Added
+
+- Add `config.console` settings to app. Set an alternative engine with e.g. `config.console.engine = :pry` (`:irb` is default). Add your own methods to the console with `config.console.include MyModule, AnotherModule`. (@alassek in #1540)
+- Support optional nonce in Rack requests, CSP header rules and view helpers (@svoop in #1500)
+- Check `ENV["APP_ENV"]` for the Hanami env if `ENV["HANAMI_ENV"]` is not set. The order of environment variable checks is now `HANAMI_ENV`->`APP_ENV`->`RACK_ENV` (@svoop in #1487).
+
+### Changed
+
+- Support both Rack v2 and v3. (@kyleplump in #1493)
+- Support single-character slice names. (@aaronmallen in #1528)
+
+### Fixed
+
+- Allow `include Deps` to be used in `Hanami::DB::Repo` subclasses. (@wuarmin in #1523)
+- Properly infer root relations for deeper `Hanami::DB::Repo` subclasses, such as in slices. (@wuarmin in #1478)
+- Delay loading `config/routes.rb` until after autoloading is setup, which means you can access your constants there. (@timriley in #1539)
+- Avoid warning from referencing deprecated `URI::DEFAULT_PARSER`. (@wuarmin in #1518)
 
 ## v2.2.1 - 2024-11-12
 
@@ -1478,3 +1510,7 @@ end
 - [Luca Guidi] Introduced `Lotus::Configuration`
 - [Luca Guidi] Introduced `Lotus::Application`
 - [Luca Guidi] Official support for MRI 2.0
+
+
+[unreleased]: https://github.com/hanami/hanami/compare/v2.3.0.beta1...HEAD
+[v2.3.0.beta1] https://github.com/hanami/hanami/compare/v2.2.1...v2.3.0.beta1

data/README.md

@@ -1,12 +1,6 @@
 # Hanami :cherry_blossom:
 
-The web, with simplicity.
-
-## Version
-
-**This branch contains the code for `hanami`: 2.2**
-
-## Frameworks
+**A flexible framework for maintainable Ruby apps.**
 
 Hanami is a **full-stack** Ruby web framework. It's made up of smaller, single-purpose libraries.
 
@@ -14,8 +8,8 @@ This repository is for the full-stack framework, which provides the glue that ti
 
 * [**Hanami::Router**](https://github.com/hanami/router) - Rack compatible HTTP router for Ruby
 * [**Hanami::Controller**](https://github.com/hanami/controller) - Full featured, fast and testable actions for Rack
-* [**Hanami::Validations**](https://github.com/hanami/validations) - Parameter validations & coercion for actions
 * [**Hanami::View**](https://github.com/hanami/view) - Presentation with a separation between views and templates
+* [**Hanami::DB**](https://github.com/hanami/db) - Database integration, complete with migrations, repositories, relations, and structs
 * [**Hanami::Assets**](https://github.com/hanami/assets) - Assets management for Ruby
 
 These components are designed to be used independently or together in a Hanami application.
@@ -24,12 +18,10 @@ These components are designed to be used independently or together in a Hanami a
 
 [![Gem Version](https://badge.fury.io/rb/hanami.svg)](https://badge.fury.io/rb/hanami)
 [![CI](https://github.com/hanami/hanami/actions/workflows/ci.yml/badge.svg)](https://github.com/hanami/hanami/actions?query=workflow%3Aci+branch%3Amain)
-[![Test Coverage](https://codecov.io/gh/hanami/hanami/branch/main/graph/badge.svg)](https://codecov.io/gh/hanami/hanami)
-[![Depfu](https://badges.depfu.com/badges/ba000e0f69e6ef1c44cd3038caaa1841/overview.svg)](https://depfu.com/github/hanami/hanami?project=Bundler)
 
 ## Installation
 
-__Hanami__ supports Ruby (MRI) 3.1+.
+Hanami supports Ruby (MRI) 3.1+.
 
 ```shell
 gem install hanami
@@ -40,7 +32,8 @@ gem install hanami
 ```shell
 hanami new bookshelf
 cd bookshelf && bundle
-bundle exec hanami server # visit http://localhost:2300
+bundle exec hanami dev
+# Now visit http://localhost:2300
 ```
 
 Please follow along with the [Getting Started guide](https://guides.hanamirb.org/getting-started/).
@@ -49,30 +42,22 @@ Please follow along with the [Getting Started guide](https://guides.hanamirb.org
 
 You can give back to Open Source, by supporting Hanami development via [GitHub Sponsors](https://github.com/sponsors/hanami).
 
-### Supporters
-
-  * [Trung Lê](https://github.com/runlevel5)
-  * [James Carlson](https://github.com/jxxcarlson)
-  * [Creditas](https://www.creditas.com.br/)
-
 ## Contact
 
-* Home page: http://hanamirb.org
-* Community: http://hanamirb.org/community
-* Guides: https://guides.hanamirb.org
-* Snippets: https://snippets.hanamirb.org
-* Mailing List: http://hanamirb.org/mailing-list
-* API Doc: https://gemdocs.org/gems/hanami/latest
-* Bugs/Issues: https://github.com/hanami/hanami/issues
-* Stack Overflow: http://stackoverflow.com/questions/tagged/hanami
-* Forum: https://discourse.hanamirb.org
-* **Chat**: http://chat.hanamirb.org
+* [Home page](http://hanamirb.org)
+* [Community](http://hanamirb.org/community)
+* [Guides](https://guides.hanamirb.org)
+* [Issues](https://github.com/hanami/hanami/issues)
+* [Forum](https://discourse.hanamirb.org)
+* [Chat](https://discord.gg/KFCxDmk3JQ)
 
 ## Community
 
-We strive for an inclusive and helpful community. We have a [Code of Conduct](http://hanamirb.org/community/#code-of-conduct) to handle controversial cases. In general, we expect **you** to be **nice** with other people. Our hope is for a great software and a great Community.
+We care about building a friendly, inclusive and helpful community. We welcome people of all backgrounds, genders and experience levels, and respect you all equally.
+
+We do not tolerate nazis, transphobes, racists, or any kind of bigotry. See our [code of conduct](http://hanamirb.org/community/#code-of-conduct) for more.
 
-## Contributing [![Open Source Helpers](https://www.codetriage.com/hanami/hanami/badges/users.svg)](https://www.codetriage.com/hanami/hanami)
+## Contributing
 
 1. Fork it ( https://github.com/hanami/hanami/fork )
 2. Create your feature branch (`git checkout -b my-new-feature`)
@@ -110,14 +95,14 @@ $ bundle exec rspec path/to/spec.rb
 
 ### Development Requirements
 
-  * Ruby >= 3.1
-  * Bundler
-  * Node.js (MacOS)
+* Ruby >= 3.1
+* Bundler
+* Node.js
 
 ## Versioning
 
-__Hanami__ uses [Semantic Versioning 2.0.0](http://semver.org)
+Hanami uses [Semantic Versioning 2.0.0](http://semver.org).
 
 ## Copyright
 
-Copyright © 2014–2024 Hanami Team – Released under MIT License.
+Copyright © 2014–2025 Hanami Team – Released under MIT License.

data/hanami.gemspec

@@ -38,12 +38,13 @@ Gem::Specification.new do |spec|
   spec.add_dependency "dry-monitor",      "~> 1.0", ">= 1.0.1", "< 2"
   spec.add_dependency "dry-system",       "~> 1.1"
   spec.add_dependency "dry-logger",       "~> 1.0", "< 2"
-  spec.add_dependency "hanami-cli",       "~> 2.2.1"
+  spec.add_dependency "hanami-cli",       "~> 2.3.0.beta1"
   spec.add_dependency "hanami-utils",     "~> 2.2"
   spec.add_dependency "json",             ">= 2.7.2"
   spec.add_dependency "zeitwerk",         "~> 2.6"
+  spec.add_dependency "rack-session"
 
   spec.add_development_dependency "rspec",     "~> 3.8"
-  spec.add_development_dependency "rack-test", "~> 1.1"
+  spec.add_development_dependency "rack-test", "~> 2.0"
   spec.add_development_dependency "rake",      "~> 13.0"
 end

data/lib/hanami/app.rb

@@ -168,6 +168,8 @@ module Hanami
       end
 
       def prepare_autoloader
+        autoloader.tag = "hanami.app.#{slice_name.name}"
+
         # Component dirs are automatically pushed to the autoloader by dry-system's zeitwerk plugin.
         # This method adds other dirs that are not otherwise configured as component dirs.
 

data/lib/hanami/config/actions/content_security_policy.rb

@@ -96,6 +96,29 @@ module Hanami
           @policy.delete(key)
         end
 
+        # Returns true if 'nonce' is used in any of the policies.
+        #
+        # @return [Boolean]
+        #
+        # @api public
+        # @since x.x.x
+        def nonce?
+          @policy.any? { _2.match?(/'nonce'/) }
+        end
+
+        # Returns an array of middleware name to support 'nonce' in
+        # policies, or an empty array if 'nonce' is not used.
+        #
+        # @return [Array<(Symbol, Array)>]
+        #
+        # @api public
+        # @since x.x.x
+        def middleware
+          return [] unless nonce?
+
+          [Hanami::Middleware::ContentSecurityPolicyNonce]
+        end
+
         # @since 2.0.0
         # @api private
         def to_s

data/lib/hanami/config/actions.rb

@@ -74,6 +74,23 @@ module Hanami
       # @since 2.0.0
       attr_accessor :content_security_policy
 
+      # Returns the proc to generate Content Security Policy nonce values.
+      #
+      # The current Rack request object is provided as an optional argument
+      # to the proc, enabling the generation of nonces based on session IDs.
+      #
+      # @example Independent random nonce (default)
+      #   -> { SecureRandom.urlsafe_base64(16) }
+      #
+      # @example Session dependent nonce
+      #   ->(request) { Digest::SHA256.base64digest(request.session[:uuid])[0, 16] }
+      #
+      # @return [Proc]
+      #
+      # @api public
+      # @since x.x.x
+      setting :content_security_policy_nonce_generator, default: -> { SecureRandom.urlsafe_base64(16) }
+
       # @!attribute [rw] method_override
       #   Sets or returns whether HTTP method override should be enabled for action classes.
       #
@@ -138,6 +155,10 @@ module Hanami
         end
       end
 
+      # @api public
+      # @since x.x.x
+      def content_security_policy? = !!@content_security_policy
+
       private
 
       # Apply defaults for base config

data/lib/hanami/config/console.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require "dry/configurable"
+
+module Hanami
+  class Config
+    # Hanami console config
+    #
+    # @since 2.3.0
+    # @api public
+    class Console
+      include Dry::Configurable
+
+      # @!attribute [rw] engine
+      #  Sets or returns the interactive console engine to be used by `hanami console`.
+      #  Supported values are `:irb` (default) and `:pry`.
+      #
+      #  @example
+      #    config.console.engine = :pry
+      #
+      #  @return [Symbol]
+      #
+      #  @api public
+      #  @since 2.3.0
+      setting :engine, default: :irb
+
+      # Returns the complete list of extensions to be used in the console
+      #
+      # @example
+      #   config.console.include MyExtension, OtherExtension
+      #   config.console.include ThirdExtension
+      #
+      #   config.console.extensions
+      #   # => [MyExtension, OtherExtension, ThirdExtension]
+      #
+      # @return [Array<Module>]
+      #
+      # @api public
+      # @since 2.3.0
+      def extensions = @extensions.dup.freeze
+
+      # Define a module extension to be included in the console
+      #
+      # @param mod [Module] one or more modules to be included in the console
+      # @return [void]
+      #
+      # @api public
+      # @since 2.3.0
+      def include(*mod)
+        @extensions.concat(mod).uniq!
+      end
+
+      # @api private
+      def initialize
+        @extensions = []
+      end
+
+      private
+
+      # @api private
+      def initialize_copy(source)
+        super
+        @extensions = [*source.extensions]
+      end
+
+      def method_missing(name, *args, &block)
+        if config.respond_to?(name)
+          config.public_send(name, *args, &block)
+        else
+          super
+        end
+      end
+
+      def respond_to_missing?(name, _include_all = false)
+        config.respond_to?(name) || super
+      end
+    end
+  end
+end

data/lib/hanami/config/logger.rb

@@ -101,7 +101,7 @@ module Hanami
       #   Sets or returns a hash of options to pass to the {logger_constructor} when initializing
       #   the logger.
       #
-      #   Defaults to `[]`
+      #   Defaults to `{}`
       #
       #   @return [Hash]
       #

data/lib/hanami/config.rb

@@ -6,6 +6,7 @@ require "dry/configurable"
 require "dry/inflector"
 
 require_relative "constants"
+require_relative "config/console"
 
 module Hanami
   # Hanami app config
@@ -184,6 +185,18 @@ module Hanami
       "Hanami::Router::NotFoundError" => :not_found,
     )
 
+    # @!attribute [rw] console
+    #   Returns the app's console config
+    # 
+    #   @example
+    #     config.console.engine # => :irb
+    # 
+    #   @return [Hanami::Config::Console]
+    # 
+    #   @api public
+    #   @since 2.3.0
+    setting :console, default: Hanami::Config::Console.new
+
     # Returns the app or slice's {Hanami::SliceName slice_name}.
     #
     # This is useful for default config values that depend on this name.

data/lib/hanami/constants.rb

@@ -56,4 +56,7 @@ module Hanami
   # @api private
   RB_EXT_REGEXP = %r{.rb$}
   private_constant :RB_EXT_REGEXP
+
+  # @api private
+  CONTENT_SECURITY_POLICY_NONCE_REQUEST_KEY = "hanami.content_security_policy_nonce"
 end

data/lib/hanami/extensions/db/repo.rb

@@ -69,7 +69,8 @@ module Hanami
           resolve_rom = method(:resolve_rom)
 
           define_method(:new) do |**kwargs|
-            super(container: kwargs.fetch(:container) { resolve_rom.() })
+            container = kwargs.delete(:container) || resolve_rom.()
+            super(container: container, **kwargs)
           end
         end
 
@@ -77,14 +78,18 @@ module Hanami
           slice["db.rom"]
         end
 
-        def root_for_repo_class(repo_class)
-          return unless repo_class.to_s.end_with?("Repo")
+        REPO_CLASS_NAME_REGEX = /^(?<name>.+)_(repo|repository)$/
 
-          slice.inflector.demodulize(repo_class)
+        def root_for_repo_class(repo_class)
+          repo_class_name = slice.inflector.demodulize(repo_class)
             .then { slice.inflector.underscore(_1) }
-            .then { _1.gsub(/_repo$/, "") }
+
+          repo_class_match = repo_class_name.match(REPO_CLASS_NAME_REGEX)
+          return unless repo_class_match
+
+          repo_class_match[:name]
             .then { slice.inflector.pluralize(_1) }
-            .then { _1.to_sym }
+            .then(&:to_sym)
         end
 
         def struct_namespace

data/lib/hanami/extensions/view/context.rb

@@ -172,6 +172,16 @@ module Hanami
               @request
             end
 
+            # Returns true if the view is rendered from within an action and a request is available.
+            #
+            # @return [Boolean]
+            #
+            # @api public
+            # @since x.x.x
+            def request?
+              !!@request
+            end
+
             # Returns the app's routes helper.
             #
             # @return [Hanami::Slice::RoutesHelper] the routes helper

data/lib/hanami/helpers/assets_helper.rb

@@ -2,6 +2,7 @@
 
 require "uri"
 require "hanami/view"
+require_relative "../constants"
 
 # rubocop:disable Metrics/ModuleLength
 
@@ -61,7 +62,10 @@ module Hanami
 
       # @since 0.3.0
       # @api private
-      ABSOLUTE_URL_MATCHER = URI::DEFAULT_PARSER.make_regexp
+      # TODO: we can drop the defined?-check and fallback once Ruby 3.3 becomes our minimum required version
+      ABSOLUTE_URL_MATCHER = (
+        defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::DEFAULT_PARSER
+      ).make_regexp
 
       # @since 1.1.0
       # @api private
@@ -85,7 +89,12 @@ module Hanami
       # name of the algorithm, then a hyphen, then the hash value of the file.
       # If more than one algorithm is used, they"ll be separated by a space.
       #
-      # @param source_paths [Array<String, #url>] one or more assets by name or absolute URL
+      # If the Content Security Policy uses 'nonce' and the source is not
+      # absolute, the nonce value of the current request is automatically added
+      # as an attribute. You can override this with the `nonce: false` option.
+      # See {#content_security_policy_nonce} for more.
+      #
+      # @param sources [Array<String, #url>] one or more assets by name or absolute URL
       #
       # @return [Hanami::View::HTML::SafeString] the markup
       #
@@ -136,6 +145,10 @@ module Hanami
       #
       #   # <script src="/assets/application.js" type="text/javascript" defer="defer"></script>
       #
+      # @example Disable nonce
+      #
+      #   <%= javascript_tag "application", nonce: false %>
+      #
       # @example Absolute URL
       #
       #   <%= javascript_tag "https://code.jquery.com/jquery-2.1.4.min.js" %>
@@ -154,13 +167,15 @@ module Hanami
       #
       #   # <script src="https://assets.bookshelf.org/assets/application-28a6b886de2372ee3922fcaf3f78f2d8.js"
       #   #         type="text/javascript"></script>
-      def javascript_tag(*source_paths, **options)
+      def javascript_tag(*sources, **options)
         options = options.reject { |k, _| k.to_sym == :src }
+        nonce_option = options.delete(:nonce)
 
-        _safe_tags(*source_paths) do |source|
+        _safe_tags(*sources) do |source|
           attributes = {
-            src: _typed_path(source, JAVASCRIPT_EXT),
-            type: JAVASCRIPT_MIME_TYPE
+            src: _typed_url(source, JAVASCRIPT_EXT),
+            type: JAVASCRIPT_MIME_TYPE,
+            nonce: _nonce(source, nonce_option)
           }
           attributes.merge!(options)
 
@@ -189,7 +204,12 @@ module Hanami
       # name of the algorithm, then a hyphen, then the hashed value of the file.
       # If more than one algorithm is used, they"ll be separated by a space.
       #
-      # @param source_paths [Array<String, #url>] one or more assets by name or absolute URL
+      # If the Content Security Policy uses 'nonce' and the source is not
+      # absolute, the nonce value of the current request is automatically added
+      # as an attribute. You can override this with the `nonce: false` option.
+      # See {#content_security_policy_nonce} for more.
+      #
+      # @param sources [Array<String, #url>] one or more assets by name or absolute URL
       #
       # @return [Hanami::View::HTML::SafeString] the markup
       #
@@ -214,6 +234,10 @@ module Hanami
       #   # <link href="/assets/application.css" type="text/css" rel="stylesheet">
       #   # <link href="/assets/dashboard.css" type="text/css" rel="stylesheet">
       #
+      # @example Disable nonce
+      #
+      #   <%= stylesheet_tag "application", nonce: false %>
+      #
       # @example Subresource Integrity
       #
       #   <%= stylesheet_tag "application" %>
@@ -247,19 +271,21 @@ module Hanami
       #
       #   # <link href="https://assets.bookshelf.org/assets/application-28a6b886de2372ee3922fcaf3f78f2d8.css"
       #   #       type="text/css" rel="stylesheet">
-      def stylesheet_tag(*source_paths, **options)
+      def stylesheet_tag(*sources, **options)
         options = options.reject { |k, _| k.to_sym == :href }
+        nonce_option = options.delete(:nonce)
 
-        _safe_tags(*source_paths) do |source_path|
+        _safe_tags(*sources) do |source|
           attributes = {
-            href: _typed_path(source_path, STYLESHEET_EXT),
+            href: _typed_url(source, STYLESHEET_EXT),
             type: STYLESHEET_MIME_TYPE,
-            rel: STYLESHEET_REL
+            rel: STYLESHEET_REL,
+            nonce: _nonce(source, nonce_option)
           }
           attributes.merge!(options)
 
           if _context.assets.subresource_integrity? || attributes.include?(:integrity)
-            attributes[:integrity] ||= _subresource_integrity_value(source_path, STYLESHEET_EXT)
+            attributes[:integrity] ||= _subresource_integrity_value(source, STYLESHEET_EXT)
             attributes[:crossorigin] ||= CROSSORIGIN_ANONYMOUS
           end
 
@@ -626,7 +652,7 @@ module Hanami
       #
       # If CDN mode is on, it returns the absolute URL of the asset.
       #
-      # @param source_path [String, #url] the asset name or asset object
+      # @param source [String, #url] the asset name or asset object
       #
       # @return [String] the asset path
       #
@@ -665,42 +691,71 @@ module Hanami
       #   <%= asset_url "application.js" %>
       #
       #   # "https://assets.bookshelf.org/assets/application-28a6b886de2372ee3922fcaf3f78f2d8.js"
-      def asset_url(source_path)
-        return source_path.url if source_path.respond_to?(:url)
-        return source_path if _absolute_url?(source_path)
+      def asset_url(source)
+        return source.url if source.respond_to?(:url)
+        return source if _absolute_url?(source)
 
-        _context.assets[source_path].url
+        _context.assets[source].url
+      end
+
+      # Random per request nonce value for Content Security Policy (CSP) rules.
+      #
+      # If the `Hanami::Middleware::ContentSecurityPolicyNonce` middleware is
+      # in use, this helper returns the nonce value for the current request
+      # or `nil` otherwise.
+      #
+      # For this policy to work in the browser, you have to add the `'nonce'`
+      # placeholder to the script and/or style source policy rule. It will be
+      # substituted by the current nonce value like `'nonce-A12OggyZ'.
+      #
+      # @return [String, nil] nonce value of the current request
+      #
+      # @since x.x.x
+      #
+      # @example App configuration
+      #
+      #   config.middleware.use Hanami::Middleware::ContentSecurityPolicyNonce
+      #   config.actions.content_security_policy[:script_src] = "'self' 'nonce'"
+      #   config.actions.content_security_policy[:style_src] = "'self' 'nonce'"
+      #
+      # @example View helper
+      #
+      #   <script nonce="<%= content_security_policy_nonce %>">
+      def content_security_policy_nonce
+        return unless _context.request?
+
+        _context.request.env[CONTENT_SECURITY_POLICY_NONCE_REQUEST_KEY]
       end
 
       private
 
       # @since 2.1.0
       # @api private
-      def _safe_tags(*source_paths, &blk)
+      def _safe_tags(*sources, &blk)
         ::Hanami::View::HTML::SafeString.new(
-          source_paths.map(&blk).join(NEW_LINE_SEPARATOR)
+          sources.map(&blk).join(NEW_LINE_SEPARATOR)
         )
       end
 
       # @since 2.1.0
       # @api private
-      def _typed_path(source, ext)
+      def _typed_url(source, ext)
         source = "#{source}#{ext}" if source.is_a?(String) && _append_extension?(source, ext)
         asset_url(source)
       end
 
       # @api private
-      def _subresource_integrity_value(source_path, ext)
-        return if _absolute_url?(source_path)
+      def _subresource_integrity_value(source, ext)
+        return if _absolute_url?(source)
 
-        source_path = "#{source_path}#{ext}" unless /#{Regexp.escape(ext)}\z/.match?(source_path)
-        _context.assets[source_path].sri
+        source = "#{source}#{ext}" unless /#{Regexp.escape(ext)}\z/.match?(source)
+        _context.assets[source].sri
       end
 
       # @since 2.1.0
       # @api private
       def _absolute_url?(source)
-        ABSOLUTE_URL_MATCHER.match(source)
+        ABSOLUTE_URL_MATCHER.match?(source.respond_to?(:url) ? source.url : source)
       end
 
       # @since 1.2.0
@@ -711,6 +766,18 @@ module Hanami
         _context.assets.crossorigin?(source)
       end
 
+      # @since x.x.x
+      # @api private
+      def _nonce(source, nonce_option)
+        if nonce_option == false
+          nil
+        elsif nonce_option == true || (nonce_option.nil? && !_absolute_url?(source))
+          content_security_policy_nonce
+        else
+          nonce_option
+        end
+      end
+
       # @since 2.1.0
       # @api private
       def _source_options(src, options, &blk)