RubyGems - phraseapp-in-context-editor-ruby - Versions diffs - 3.1.1 → 3.2.0 - Mend

phraseapp-in-context-editor-ruby 3.1.1 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +7 -0
data/README.md +17 -2
data/examples/demo/app/views/layouts/application.html.erb +1 -1
data/examples/demo/config/initializers/content_security_policy.rb +19 -19
data/lib/phraseapp-in-context-editor-ruby/version.rb +1 -1
data/lib/phraseapp-in-context-editor-ruby/view_helpers.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1d26e42fffd5138a7fecf9273413a584f2e0bac55f0c9ec280f2ff3f2c48701b
-  data.tar.gz: 675aa580225c7edf371c0b031a9b4dba485e36c72a71ebdbc991738548eb9ae3
+  metadata.gz: 17c6c5e0a0f37c12c316ad48fbbd6f8778c4e1b019c42d30aa4ead61fc878d34
+  data.tar.gz: b1efe28346b9ac381949d14f5106ae160dc4a31f02c8555c86f597a2f7d2db12
 SHA512:
-  metadata.gz: 45d475e3a53d156711097c0926df63c9bc89a0ad78ffb56b908e48d11b5db0cc70267ac629edd0d24c7a0835572411fce36ff08b9de021e2787a1c389a11ae7d
-  data.tar.gz: 546bd0fa0eca47a62078b7f20b0e2ed1215fad2c73dcb0367f01c25fe235e64a16c4301d0a48ff665f67ed93a293b5556e5aadeadbe1fc2911f2b419e0ee074a
+  metadata.gz: 62f3914be6e79486b27fae858447f4d8f137a529c2df9305a3cdbd87703ab43fbea431ea31bddf993a5e240975ab373663a385d6727972f90bbd6665d698e84c
+  data.tar.gz: 3da9433f686cd2d4a6d5df36501ecb65501ec15be85d9980dcc13bca98ba5be813e48f7f304c82929086d451d22a88472544903ff6435e830a1586288092ee56

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,10 @@
+# [3.2.0](https://github.com/phrase/phraseapp-in-context-editor-ruby/compare/v3.1.1...v3.2.0) (2024-07-11)
+### Features
+* Added nonce support ([#86](https://github.com/phrase/phraseapp-in-context-editor-ruby/issues/86)) ([e7df6f7](https://github.com/phrase/phraseapp-in-context-editor-ruby/commit/e7df6f7b279c3823dd8a99f0b5d6e2d025863ca7))
 ## [3.1.1](https://github.com/phrase/phraseapp-in-context-editor-ruby/compare/v3.1.0...v3.1.1) (2024-06-14)

data/README.md CHANGED Viewed

@@ -10,8 +10,8 @@
 To use phraseapp-in-context-editor-ruby with your application you have to:
-* Sign up for a Phrase account: [https://app.phrase.com/signup](https://app.phrase.com/signup)
-* Use the excellent [i18n](https://github.com/ruby-i18n/i18n) gem also used by [Rails](https://guides.rubyonrails.org/i18n.html)
+- Sign up for a Phrase account: [https://app.phrase.com/signup](https://app.phrase.com/signup)
+- Use the excellent [i18n](https://github.com/ruby-i18n/i18n) gem also used by [Rails](https://guides.rubyonrails.org/i18n.html)
 ### Demo
@@ -21,11 +21,13 @@ Login via the demo credentials `demo@phrase.com` / `phrase`
 ### Installation
 #### NOTE: You can not use the old version of the ICE with integration versions of >2.0.0, you have to instead use 1.x.x versions as before
 #### via Gem
 ```bash
 gem install phraseapp-in-context-editor-ruby
 ```
 #### via Bundler
 Add it to your `Gemfile`
@@ -84,6 +86,7 @@ Old version of the ICE is not available since version 2.0.0. If you still would
 #### Using the US Datacenter with ICE
 In addition to the settings in your `config/initializers/phraseapp_in_context_editor.rb`, set the US datacenter to enable the ICE to work with the US endpoints.
 ```ruby
   config.enabled = true
   config.project_id = "YOUR_PROJECT_ID"
@@ -91,6 +94,18 @@ In addition to the settings in your `config/initializers/phraseapp_in_context_ed
   config.datacenter = "us"
 ```
+#### Using with CSP
+The script will automatically get the nonce from `content_security_policy_nonce`
+The content_security_policy.rb has to have `:strict_dynamic` for `policy.script_src` since we are loading more scripts dynamically because of our way of deploying
+```ruby
+  policy.script_src :self, :https, :strict_dynamic
+  policy.style_src :self, :https
+```
+The `config.content_security_policy_nonce_directives = %w[script-src style-src]` can include `style-src` but this _might_ break some styling in some cases
 ### Browser support
 This library might not work out of the box for some older browser or IE11. We recommend to add [Babel](https://github.com/babel/babel) to the build pipeline if those browser need to be supported.

data/examples/demo/app/views/layouts/application.html.erb CHANGED Viewed

@@ -6,7 +6,7 @@
     <%= csrf_meta_tags %>
     <%= csp_meta_tag %>
-    <%= stylesheet_link_tag "application", "data-turbo-track": "reload" %>
+    <%= stylesheet_link_tag "application", "data-turbo-track": "reload", nonce: true %>
     <%= javascript_importmap_tags %>
     <%= load_in_context_editor %>
   </head>

data/examples/demo/config/initializers/content_security_policy.rb CHANGED Viewed

@@ -4,22 +4,22 @@
 # See the Securing Rails Applications Guide for more information:
 # https://guides.rubyonrails.org/security.html#content-security-policy-header
-# Rails.application.configure do
-#   config.content_security_policy do |policy|
-#     policy.default_src :self, :https
-#     policy.font_src    :self, :https, :data
-#     policy.img_src     :self, :https, :data
-#     policy.object_src  :none
-#     policy.script_src  :self, :https
-#     policy.style_src   :self, :https
-#     # Specify URI for violation reports
-#     # policy.report_uri "/csp-violation-report-endpoint"
-#   end
-#
-#   # Generate session nonces for permitted importmap and inline scripts
-#   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
-#   config.content_security_policy_nonce_directives = %w(script-src)
-#
-#   # Report violations without enforcing the policy.
-#   # config.content_security_policy_report_only = true
-# end
+Rails.application.configure do
+  config.content_security_policy do |policy|
+    policy.default_src :self, :https
+    policy.font_src :self, :https, :data
+    policy.img_src :self, :https, :data
+    policy.object_src :none
+    policy.script_src :self, :https, :strict_dynamic
+    policy.style_src :self, :https
+    # Specify URI for violation reports
+    # policy.report_uri "/csp-violation-report-endpoint"
+  end
+  # Generate session nonces for permitted importmap and inline scripts
+  config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
+  config.content_security_policy_nonce_directives = %w[script-src style-src]
+  # Report violations without enforcing the policy.
+  # config.content_security_policy_report_only = true
+end

data/lib/phraseapp-in-context-editor-ruby/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module PhraseappInContextEditor
-  VERSION = "3.1.1"
+  VERSION = "3.2.0"
 end

data/lib/phraseapp-in-context-editor-ruby/view_helpers.rb CHANGED Viewed

@@ -22,7 +22,7 @@ module PhraseApp
         }.merge(opts)
         snippet = <<-EOS
-        <script>
+        <script nonce='#{content_security_policy_nonce}'>
           window.PHRASEAPP_CONFIG = #{configuration.to_json};
           (function() {
             let phraseapp = document.createElement('script');

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: phraseapp-in-context-editor-ruby
 version: !ruby/object:Gem::Version
-  version: 3.1.1
+  version: 3.2.0
 platform: ruby
 authors:
 - Phrase
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-14 00:00:00.000000000 Z
+date: 2024-07-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json