islandjs-rails 0.3.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 80cf07099fd7b856ce591b2307d517d97660dd2b4fadbcbc277985a08a719699
-  data.tar.gz: 07a42108fc92d6a21f65e2c3b6149ec61af7cfc08f85ea15efc86cb519c07551
+  metadata.gz: 80cbddb05a05365fd47474178fd2fb2b403f69c597169fe16bcb93e558dbabb7
+  data.tar.gz: f342dd7687658b6c8df47cfa7566f2061517112eb248719c997b20ea2634d5bf
 SHA512:
-  metadata.gz: e33bfd8d2c20f5f84ab296c6745bcbcdd942b7a81575d484ed5ebe724fc693707033a5cdd72d2b2aad52bba55eca73ff30d7e81227f94d740088e8e7c703e604
-  data.tar.gz: bdbfd552e3934c08e1ebfce0cca422cc065affafc61adb46b21c57c63c1c645198a354ee41ff0ffd9938f6a6bdd248f96ba32928f5015d997f9dd91899314a39
+  metadata.gz: 5e3ed8b8c57007f2011c9b875cef7a84b4b4f262038bc2f9c92cc7e98ebfd9ed66b73c2b0fd7e9a1da9bee499b2a036f0c9ed48dd34dd9fdc99e680d82dae908
+  data.tar.gz: ec2afebea06a97b95b7c22b71596c30b704e44bbf5c5a8b0579a497b5b44f89056efcdc5dbf2179564d74b921301740e4feef340d8257c3adbd7c72203c9b703

data/CHANGELOG.md

@@ -5,6 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.5.0] - 2025-09-29
+
+### Added
+- **CSP support for script tags**: All IslandJS-generated `<script>` tags now automatically include a CSP nonce when one is present in the Rails request.  
+- **Flexible script attributes**: Helpers (`react_component`, `vue_component`, etc.) now support passing standard script attributes (`nonce`, `defer`, `async`, `crossorigin`, `integrity`).
+
+## [0.4.0] - 2025-08-10
+
+### Added
+- Add ENV flag to control the dev UMD bundle info footer. The floating footer is disabled by default and only shows in development when `ISLANDJS_RAILS_SHOW_UMD_DEBUG` is truthy.
+
 ## [0.3.0] - 2025-08-09
 
 ### Added

data/README.md

@@ -420,6 +420,7 @@ Renders a React component with Turbo-compatible lifecycle and optional placehold
 - `class`: CSS class for container
 - `placeholder_class`: CSS class for placeholder content
 - `placeholder_style`: Inline styles for placeholder content
+- Script attributes: `nonce` (auto-detected for CSP), `defer`, `async`, `crossorigin`, `integrity`
 
 ## Placeholder Support
 

data/lib/islandjs_rails/rails_helpers.rb

@@ -1,11 +1,14 @@
 module IslandjsRails
   module RailsHelpers
+    # Script attributes that can be passed through options
+    SCRIPT_ATTRIBUTES = %i[nonce defer async crossorigin integrity].freeze
+
     # Main helper method that combines all IslandJS functionality
-    def islands
+    def islands(**attributes)
       output = []
       output << island_partials  # Now uses vendor UMD partial
-      output << island_bundle_script
-      output << umd_versions_debug if Rails.env.development?
+      output << island_bundle_script(**attributes)
+      output << umd_versions_debug if umd_debug_enabled?
       output.compact.join("\n").html_safe
     end
 
@@ -22,29 +25,32 @@ module IslandjsRails
     end
 
     # Render the main IslandJS bundle script tag
-    def island_bundle_script
+    def island_bundle_script(**attributes)
       manifest_path = Rails.root.join('public', 'islands_manifest.json')
       bundle_path = '/islands_bundle.js'
-      
+
+      # Get formatted HTML attributes with defaults (including auto-nonce and defer)
+      html_attributes = script_html_attributes(defer: true, **attributes)
+
       unless File.exist?(manifest_path)
         # Fallback to direct bundle path when no manifest
-        return html_safe_string("<script src=\"#{bundle_path}\" defer></script>")
+        return html_safe_string("<script src=\"#{bundle_path}\"#{html_attributes}></script>")
       end
-      
+
       begin
         manifest = JSON.parse(File.read(manifest_path))
         # Look for islands_bundle.js in manifest
         bundle_file = manifest['islands_bundle.js']
-        
+
         if bundle_file
-          html_safe_string("<script src=\"#{bundle_file}\" defer></script>")
+          html_safe_string("<script src=\"#{bundle_file}\"#{html_attributes}></script>")
         else
           # Fallback to direct bundle path
-          html_safe_string("<script src=\"#{bundle_path}\" defer></script>")
+          html_safe_string("<script src=\"#{bundle_path}\"#{html_attributes}></script>")
         end
       rescue JSON::ParserError
         # Fallback to direct bundle path on manifest parse error
-        html_safe_string("<script src=\"#{bundle_path}\" defer></script>")
+        html_safe_string("<script src=\"#{bundle_path}\"#{html_attributes}></script>")
       end
     end
 
@@ -66,7 +72,11 @@ module IslandjsRails
       # Handle placeholder options
       placeholder_class = options[:placeholder_class]
       placeholder_style = options[:placeholder_style]
-      
+
+      # Extract script attributes from options
+      script_attributes = options.slice(*SCRIPT_ATTRIBUTES)
+      script_attributes.compact!
+
       # For turbo-cache compatibility, store initial state as JSON in data attribute
       initial_state_json = props.to_json
       
@@ -91,7 +101,7 @@ module IslandjsRails
       end
       
       # Generate the mounting script - pass container_id as the only prop for turbo-cache pattern
-      mount_script = generate_react_mount_script(component_name, component_id, namespace, namespace_with_optional)
+      mount_script = generate_react_mount_script(component_name, component_id, namespace, namespace_with_optional, **script_attributes)
       
       # Return the container div with data-initial-state and script
       data_part = data_attrs.empty? ? '' : " #{data_attrs}"
@@ -133,9 +143,13 @@ module IslandjsRails
       # Extract options
       tag_name = options[:tag] || 'div'
       css_class = options[:class] || ''
-      
+
+      # Extract script attributes from options
+      script_attributes = options.slice(*SCRIPT_ATTRIBUTES)
+      script_attributes.compact!
+
       # Generate the mounting script
-      mount_script = generate_vue_mount_script(component_name, component_id, props_json)
+      mount_script = generate_vue_mount_script(component_name, component_id, props_json, **script_attributes)
       
       # Return the container div and script
       container_html = "<#{tag_name} id=\"#{component_id}\" class=\"#{css_class}\"></#{tag_name}>"
@@ -181,7 +195,7 @@ module IslandjsRails
 
     # Legacy UMD helper methods for backward compatibility with tests
     def umd_versions_debug
-      return unless Rails.env.development?
+      return unless umd_debug_enabled?
       
       begin
         installed = IslandjsRails.core.send(:installed_packages)
@@ -237,6 +251,47 @@ module IslandjsRails
 
     private
 
+    # Format HTML attributes into a string
+    # Returns a string like ' nonce="abc123" defer' or empty string if no attributes
+    def format_html_attributes(**attributes)
+      return '' if attributes.empty?
+
+      attributes.filter_map do |key, value|
+        next if value.nil? || value == false
+        key_str = key.to_s.tr('_', '-')
+        value == true ? " #{key_str}" : " #{key_str}=\"#{value}\""
+      end.join
+    end
+
+    # Get default script attributes with auto-nonce detection
+    def default_script_attributes(**user_attributes)
+      attributes = {}
+
+      # Auto-add nonce if CSP is enabled and not explicitly provided
+      if !user_attributes.key?(:nonce) && respond_to?(:content_security_policy_nonce)
+        nonce = content_security_policy_nonce
+        attributes[:nonce] = nonce if nonce
+      end
+
+      attributes.merge(user_attributes)
+    end
+
+    # Get formatted HTML attributes string for script tags
+    def script_html_attributes(**attributes)
+      script_attributes = default_script_attributes(**attributes)
+      format_html_attributes(**script_attributes)
+    end
+
+    # Whether the floating UMD versions debug footer should render
+    def umd_debug_enabled?
+      return false unless Rails.env.development?
+
+      env_value = ENV['ISLANDJS_RAILS_SHOW_UMD_DEBUG']
+      return false if env_value.nil?
+
+      %w[1 true yes on].include?(env_value.to_s.strip.downcase)
+    end
+
     # Find the bundle file path (with manifest support)
     def find_bundle_path
       # Try manifest first (production)
@@ -264,9 +319,11 @@ module IslandjsRails
     end
 
     # Generate React component mounting script with Turbo compatibility
-    def generate_react_mount_script(component_name, component_id, namespace, namespace_with_optional)
+    def generate_react_mount_script(component_name, component_id, namespace, namespace_with_optional, **attributes)
+      html_attributes = script_html_attributes(**attributes)
+
       <<~JAVASCRIPT
-        <script>
+        <script#{html_attributes}>
           (function() {
             function mount#{component_name}() {
               const container = document.getElementById('#{component_id}');
@@ -350,9 +407,11 @@ module IslandjsRails
     end
 
     # Generate Vue component mounting script with Turbo compatibility
-    def generate_vue_mount_script(component_name, component_id, props_json)
+    def generate_vue_mount_script(component_name, component_id, props_json, **attributes)
+      html_attributes = script_html_attributes(**attributes)
+
       <<~JAVASCRIPT
-        <script>
+        <script#{html_attributes}>
           (function() {
             let vueApp = null;
             

data/lib/islandjs_rails/version.rb

@@ -1,3 +1,3 @@
 module IslandjsRails
-  VERSION = "0.3.0"
+  VERSION = "0.5.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: islandjs-rails
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Eric Arnold