RubyGems - phraseapp-in-context-editor-ruby - Versions diffs - 3.1.0 → 3.2.0 - Mend

phraseapp-in-context-editor-ruby 3.1.0 → 3.2.0

Files changed (10) hide show

checksums.yaml +4 -4
data/.github/workflows/release.yml +12 -4
data/CHANGELOG.md +14 -0
data/Gemfile.lock +1 -1
data/README.md +17 -2
data/examples/demo/app/views/layouts/application.html.erb +1 -1
data/examples/demo/config/initializers/content_security_policy.rb +19 -19
data/lib/phraseapp-in-context-editor-ruby/version.rb +1 -1
data/lib/phraseapp-in-context-editor-ruby/view_helpers.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 900986756f3ba71519a83b5168774f3fbcccde7956535ced2a907e1a1725978c
-  data.tar.gz: 33ed4e6bc473b1b456a4955f5253aeb637864fde544968051f88d95948a21666
+  metadata.gz: 17c6c5e0a0f37c12c316ad48fbbd6f8778c4e1b019c42d30aa4ead61fc878d34
+  data.tar.gz: b1efe28346b9ac381949d14f5106ae160dc4a31f02c8555c86f597a2f7d2db12
 SHA512:
-  metadata.gz: 4eb5593cd10987c04b61726aa051b6c962b3b1f2bf83841f1ab0c3f80c319881cf71517f47a5f1c2ca3c73c6e4d86eca90532b87f476b887a11c3b72bdae255e
-  data.tar.gz: 0eed67e1f200e262044f3cb936f3e88c1f1bea485565345ad3a24f1f6ca34109a61b20878500f6911b12f9d69e81f2eac0b8dcfa26784dddeaf673b2008d821a
+  metadata.gz: 62f3914be6e79486b27fae858447f4d8f137a529c2df9305a3cdbd87703ab43fbea431ea31bddf993a5e240975ab373663a385d6727972f90bbd6665d698e84c
+  data.tar.gz: 3da9433f686cd2d4a6d5df36501ecb65501ec15be85d9980dcc13bca98ba5be813e48f7f304c82929086d451d22a88472544903ff6435e830a1586288092ee56

data/.github/workflows/release.yml CHANGED Viewed

@@ -3,9 +3,20 @@ on:
   push:
     branches:
       - master
+permissions:
+  contents: read
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
       - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d
@@ -13,14 +24,11 @@ jobs:
           node-version: 20
       - uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939
         with:
-          ruby-version: '3.2' # Not needed with a .ruby-version file
+          ruby-version: "3.2" # Not needed with a .ruby-version file
       - name: Install dependencies
         run: npm install && bundle install
-      - name: Build and validate gem
-        run: gem build
       - name: Semantic Release
         uses: cycjimmy/semantic-release-action@61680d0e9b02ff86f5648ade99e01be17f0260a4
         env:

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,17 @@
+# [3.2.0](https://github.com/phrase/phraseapp-in-context-editor-ruby/compare/v3.1.1...v3.2.0) (2024-07-11)
+### Features
+* Added nonce support ([#86](https://github.com/phrase/phraseapp-in-context-editor-ruby/issues/86)) ([e7df6f7](https://github.com/phrase/phraseapp-in-context-editor-ruby/commit/e7df6f7b279c3823dd8a99f0b5d6e2d025863ca7))
+## [3.1.1](https://github.com/phrase/phraseapp-in-context-editor-ruby/compare/v3.1.0...v3.1.1) (2024-06-14)
+### Bug Fixes
+* Adjust workflow permissions so it can bump version ([#85](https://github.com/phrase/phraseapp-in-context-editor-ruby/issues/85)) ([42e00ed](https://github.com/phrase/phraseapp-in-context-editor-ruby/commit/42e00ed821fb594415a1b12d3c3e3ac2c24f951f))
 # [3.1.0](https://github.com/phrase/phraseapp-in-context-editor-ruby/compare/v3.0.1...v3.1.0) (2024-06-14)

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    phraseapp-in-context-editor-ruby (3.0.0)
+    phraseapp-in-context-editor-ruby (3.1.0)
       i18n (~> 1.0)
       json (~> 2.0)
       request_store (~> 1.2)

data/README.md CHANGED Viewed

@@ -10,8 +10,8 @@
 To use phraseapp-in-context-editor-ruby with your application you have to:
-* Sign up for a Phrase account: [https://app.phrase.com/signup](https://app.phrase.com/signup)
-* Use the excellent [i18n](https://github.com/ruby-i18n/i18n) gem also used by [Rails](https://guides.rubyonrails.org/i18n.html)
+- Sign up for a Phrase account: [https://app.phrase.com/signup](https://app.phrase.com/signup)
+- Use the excellent [i18n](https://github.com/ruby-i18n/i18n) gem also used by [Rails](https://guides.rubyonrails.org/i18n.html)
 ### Demo
@@ -21,11 +21,13 @@ Login via the demo credentials `demo@phrase.com` / `phrase`
 ### Installation
 #### NOTE: You can not use the old version of the ICE with integration versions of >2.0.0, you have to instead use 1.x.x versions as before
 #### via Gem
 ```bash
 gem install phraseapp-in-context-editor-ruby
 ```
 #### via Bundler
 Add it to your `Gemfile`
@@ -84,6 +86,7 @@ Old version of the ICE is not available since version 2.0.0. If you still would
 #### Using the US Datacenter with ICE
 In addition to the settings in your `config/initializers/phraseapp_in_context_editor.rb`, set the US datacenter to enable the ICE to work with the US endpoints.
 ```ruby
   config.enabled = true
   config.project_id = "YOUR_PROJECT_ID"
@@ -91,6 +94,18 @@ In addition to the settings in your `config/initializers/phraseapp_in_context_ed
   config.datacenter = "us"
 ```
+#### Using with CSP
+The script will automatically get the nonce from `content_security_policy_nonce`
+The content_security_policy.rb has to have `:strict_dynamic` for `policy.script_src` since we are loading more scripts dynamically because of our way of deploying
+```ruby
+  policy.script_src :self, :https, :strict_dynamic
+  policy.style_src :self, :https
+```
+The `config.content_security_policy_nonce_directives = %w[script-src style-src]` can include `style-src` but this _might_ break some styling in some cases
 ### Browser support
 This library might not work out of the box for some older browser or IE11. We recommend to add [Babel](https://github.com/babel/babel) to the build pipeline if those browser need to be supported.

data/examples/demo/app/views/layouts/application.html.erb CHANGED Viewed

@@ -6,7 +6,7 @@
     <%= csrf_meta_tags %>
     <%= csp_meta_tag %>
-    <%= stylesheet_link_tag "application", "data-turbo-track": "reload" %>
+    <%= stylesheet_link_tag "application", "data-turbo-track": "reload", nonce: true %>
     <%= javascript_importmap_tags %>
     <%= load_in_context_editor %>
   </head>

data/examples/demo/config/initializers/content_security_policy.rb CHANGED Viewed

@@ -4,22 +4,22 @@
 # See the Securing Rails Applications Guide for more information:
 # https://guides.rubyonrails.org/security.html#content-security-policy-header
-# Rails.application.configure do
-#   config.content_security_policy do |policy|
-#     policy.default_src :self, :https
-#     policy.font_src    :self, :https, :data
-#     policy.img_src     :self, :https, :data
-#     policy.object_src  :none
-#     policy.script_src  :self, :https
-#     policy.style_src   :self, :https
-#     # Specify URI for violation reports
-#     # policy.report_uri "/csp-violation-report-endpoint"
-#   end
-#
-#   # Generate session nonces for permitted importmap and inline scripts
-#   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
-#   config.content_security_policy_nonce_directives = %w(script-src)
-#
-#   # Report violations without enforcing the policy.
-#   # config.content_security_policy_report_only = true
-# end
+Rails.application.configure do
+  config.content_security_policy do |policy|
+    policy.default_src :self, :https
+    policy.font_src :self, :https, :data
+    policy.img_src :self, :https, :data
+    policy.object_src :none
+    policy.script_src :self, :https, :strict_dynamic
+    policy.style_src :self, :https
+    # Specify URI for violation reports
+    # policy.report_uri "/csp-violation-report-endpoint"
+  end
+  # Generate session nonces for permitted importmap and inline scripts
+  config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
+  config.content_security_policy_nonce_directives = %w[script-src style-src]
+  # Report violations without enforcing the policy.
+  # config.content_security_policy_report_only = true
+end

data/lib/phraseapp-in-context-editor-ruby/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module PhraseappInContextEditor
-  VERSION = "3.1.0"
+  VERSION = "3.2.0"
 end

data/lib/phraseapp-in-context-editor-ruby/view_helpers.rb CHANGED Viewed

@@ -22,7 +22,7 @@ module PhraseApp
         }.merge(opts)
         snippet = <<-EOS
-        <script>
+        <script nonce='#{content_security_policy_nonce}'>
           window.PHRASEAPP_CONFIG = #{configuration.to_json};
           (function() {
             let phraseapp = document.createElement('script');

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: phraseapp-in-context-editor-ruby
 version: !ruby/object:Gem::Version
-  version: 3.1.0
+  version: 3.2.0
 platform: ruby
 authors:
 - Phrase
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-14 00:00:00.000000000 Z
+date: 2024-07-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json