phraseapp-in-context-editor-ruby 3.1.1 → 3.2.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1d26e42fffd5138a7fecf9273413a584f2e0bac55f0c9ec280f2ff3f2c48701b
4
- data.tar.gz: 675aa580225c7edf371c0b031a9b4dba485e36c72a71ebdbc991738548eb9ae3
3
+ metadata.gz: 17c6c5e0a0f37c12c316ad48fbbd6f8778c4e1b019c42d30aa4ead61fc878d34
4
+ data.tar.gz: b1efe28346b9ac381949d14f5106ae160dc4a31f02c8555c86f597a2f7d2db12
5
5
  SHA512:
6
- metadata.gz: 45d475e3a53d156711097c0926df63c9bc89a0ad78ffb56b908e48d11b5db0cc70267ac629edd0d24c7a0835572411fce36ff08b9de021e2787a1c389a11ae7d
7
- data.tar.gz: 546bd0fa0eca47a62078b7f20b0e2ed1215fad2c73dcb0367f01c25fe235e64a16c4301d0a48ff665f67ed93a293b5556e5aadeadbe1fc2911f2b419e0ee074a
6
+ metadata.gz: 62f3914be6e79486b27fae858447f4d8f137a529c2df9305a3cdbd87703ab43fbea431ea31bddf993a5e240975ab373663a385d6727972f90bbd6665d698e84c
7
+ data.tar.gz: 3da9433f686cd2d4a6d5df36501ecb65501ec15be85d9980dcc13bca98ba5be813e48f7f304c82929086d451d22a88472544903ff6435e830a1586288092ee56
data/CHANGELOG.md CHANGED
@@ -1,3 +1,10 @@
1
+ # [3.2.0](https://github.com/phrase/phraseapp-in-context-editor-ruby/compare/v3.1.1...v3.2.0) (2024-07-11)
2
+
3
+
4
+ ### Features
5
+
6
+ * Added nonce support ([#86](https://github.com/phrase/phraseapp-in-context-editor-ruby/issues/86)) ([e7df6f7](https://github.com/phrase/phraseapp-in-context-editor-ruby/commit/e7df6f7b279c3823dd8a99f0b5d6e2d025863ca7))
7
+
1
8
  ## [3.1.1](https://github.com/phrase/phraseapp-in-context-editor-ruby/compare/v3.1.0...v3.1.1) (2024-06-14)
2
9
 
3
10
 
data/README.md CHANGED
@@ -10,8 +10,8 @@
10
10
 
11
11
  To use phraseapp-in-context-editor-ruby with your application you have to:
12
12
 
13
- * Sign up for a Phrase account: [https://app.phrase.com/signup](https://app.phrase.com/signup)
14
- * Use the excellent [i18n](https://github.com/ruby-i18n/i18n) gem also used by [Rails](https://guides.rubyonrails.org/i18n.html)
13
+ - Sign up for a Phrase account: [https://app.phrase.com/signup](https://app.phrase.com/signup)
14
+ - Use the excellent [i18n](https://github.com/ruby-i18n/i18n) gem also used by [Rails](https://guides.rubyonrails.org/i18n.html)
15
15
 
16
16
  ### Demo
17
17
 
@@ -21,11 +21,13 @@ Login via the demo credentials `demo@phrase.com` / `phrase`
21
21
  ### Installation
22
22
 
23
23
  #### NOTE: You can not use the old version of the ICE with integration versions of >2.0.0, you have to instead use 1.x.x versions as before
24
+
24
25
  #### via Gem
25
26
 
26
27
  ```bash
27
28
  gem install phraseapp-in-context-editor-ruby
28
29
  ```
30
+
29
31
  #### via Bundler
30
32
 
31
33
  Add it to your `Gemfile`
@@ -84,6 +86,7 @@ Old version of the ICE is not available since version 2.0.0. If you still would
84
86
  #### Using the US Datacenter with ICE
85
87
 
86
88
  In addition to the settings in your `config/initializers/phraseapp_in_context_editor.rb`, set the US datacenter to enable the ICE to work with the US endpoints.
89
+
87
90
  ```ruby
88
91
  config.enabled = true
89
92
  config.project_id = "YOUR_PROJECT_ID"
@@ -91,6 +94,18 @@ In addition to the settings in your `config/initializers/phraseapp_in_context_ed
91
94
  config.datacenter = "us"
92
95
  ```
93
96
 
97
+ #### Using with CSP
98
+
99
+ The script will automatically get the nonce from `content_security_policy_nonce`
100
+ The content_security_policy.rb has to have `:strict_dynamic` for `policy.script_src` since we are loading more scripts dynamically because of our way of deploying
101
+
102
+ ```ruby
103
+ policy.script_src :self, :https, :strict_dynamic
104
+ policy.style_src :self, :https
105
+ ```
106
+
107
+ The `config.content_security_policy_nonce_directives = %w[script-src style-src]` can include `style-src` but this _might_ break some styling in some cases
108
+
94
109
  ### Browser support
95
110
 
96
111
  This library might not work out of the box for some older browser or IE11. We recommend to add [Babel](https://github.com/babel/babel) to the build pipeline if those browser need to be supported.
@@ -6,7 +6,7 @@
6
6
  <%= csrf_meta_tags %>
7
7
  <%= csp_meta_tag %>
8
8
 
9
- <%= stylesheet_link_tag "application", "data-turbo-track": "reload" %>
9
+ <%= stylesheet_link_tag "application", "data-turbo-track": "reload", nonce: true %>
10
10
  <%= javascript_importmap_tags %>
11
11
  <%= load_in_context_editor %>
12
12
  </head>
@@ -4,22 +4,22 @@
4
4
  # See the Securing Rails Applications Guide for more information:
5
5
  # https://guides.rubyonrails.org/security.html#content-security-policy-header
6
6
 
7
- # Rails.application.configure do
8
- # config.content_security_policy do |policy|
9
- # policy.default_src :self, :https
10
- # policy.font_src :self, :https, :data
11
- # policy.img_src :self, :https, :data
12
- # policy.object_src :none
13
- # policy.script_src :self, :https
14
- # policy.style_src :self, :https
15
- # # Specify URI for violation reports
16
- # # policy.report_uri "/csp-violation-report-endpoint"
17
- # end
18
- #
19
- # # Generate session nonces for permitted importmap and inline scripts
20
- # config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
21
- # config.content_security_policy_nonce_directives = %w(script-src)
22
- #
23
- # # Report violations without enforcing the policy.
24
- # # config.content_security_policy_report_only = true
25
- # end
7
+ Rails.application.configure do
8
+ config.content_security_policy do |policy|
9
+ policy.default_src :self, :https
10
+ policy.font_src :self, :https, :data
11
+ policy.img_src :self, :https, :data
12
+ policy.object_src :none
13
+ policy.script_src :self, :https, :strict_dynamic
14
+ policy.style_src :self, :https
15
+ # Specify URI for violation reports
16
+ # policy.report_uri "/csp-violation-report-endpoint"
17
+ end
18
+
19
+ # Generate session nonces for permitted importmap and inline scripts
20
+ config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
21
+ config.content_security_policy_nonce_directives = %w[script-src style-src]
22
+
23
+ # Report violations without enforcing the policy.
24
+ # config.content_security_policy_report_only = true
25
+ end
@@ -1,3 +1,3 @@
1
1
  module PhraseappInContextEditor
2
- VERSION = "3.1.1"
2
+ VERSION = "3.2.0"
3
3
  end
@@ -22,7 +22,7 @@ module PhraseApp
22
22
  }.merge(opts)
23
23
 
24
24
  snippet = <<-EOS
25
- <script>
25
+ <script nonce='#{content_security_policy_nonce}'>
26
26
  window.PHRASEAPP_CONFIG = #{configuration.to_json};
27
27
  (function() {
28
28
  let phraseapp = document.createElement('script');
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: phraseapp-in-context-editor-ruby
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.1
4
+ version: 3.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Phrase
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-06-14 00:00:00.000000000 Z
11
+ date: 2024-07-11 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: json