rack-disable_css_animations 0.4.0 → 0.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3f4f052828fc1eef129c74f3265617450794ee647433a6be7e1a424ede568d6e
-  data.tar.gz: 550bc940c02d553d40d4864b44750f924073b135d73e4aac7379d8d46350361d
+  metadata.gz: bad6feef29bab1e1a2a8e97b26657b599173d23b85fbb484a9b4cfe3efb05030
+  data.tar.gz: 3bca0f36e15ed91ecd7bae9deecec5d344cb82ae7cc27aae1e9064dd596a45e8
 SHA512:
-  metadata.gz: cccb5748d6830a131c60f0d8d350ca8fe3d388e97b07cbe94819dbfea2bc14cf684b39530709c5f5adc2ddfd83919b6c062231942793894b3804b6a835932a71
-  data.tar.gz: 51f0f41134048e3fc32865eab28dcf2492b5b09cfe9576fb31bef165a21e8ac109fa063f8028d534e2fff8543f691849d5031c06c8f0de7b8413b396b755cb55
+  metadata.gz: d4344c6fe201e54525d0c939c67466fe876fb305d88ec2dddd0d4d433d30efa4f4b28367e83d4bcdee5c2b0aa922fb4260d981426c57ced8711989fa8ad8fc85
+  data.tar.gz: d9bdb2f55b3dbe8e4ac7f2c3d5b50e35cf53b6f0082302623f6b56786eef363d35660af0915018573d6b0504c507fb4693eda74529e4c3d41b247724005e35bb

data/.github/workflows/main.yml

@@ -0,0 +1,18 @@
+name: CI
+on: [push, pull_request]
+jobs:
+  test:
+    strategy:
+      matrix:
+        ruby: [ "3.3", "3.4", "4.0" ]
+
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v5
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
+    - name: Run the default task
+      run: bundle exec rake

data/CHANGELOG.md

@@ -0,0 +1,33 @@
+# Changelog
+
+## 0.5.1
+
+- Recognize the `Content-Security-Policy-Report-Only` header (in both canonical and lowercase form) when no enforcing `Content-Security-Policy` header is present, so the injected `<style>` tag's nonce matches in apps running CSP in report-only mode.
+- Insert the middleware before `ActionDispatch::ContentSecurityPolicy::Middleware` so the CSP header has already been added to the response by the time we read it. Previously the middleware ran before CSP on the response, so the header was always absent.
+
+## 0.5.0
+
+- Add CSP nonce support: when the response's `Content-Security-Policy` header sets a `style-src 'nonce-…'`, the injected `<style>` tag now carries a matching `nonce` attribute so it is not blocked by CSP.
+
+## 0.4.0
+
+- Add stub for manual requiring.
+- Automatically add to the middleware stack when required after Rails.
+
+## 0.3.0
+
+- Disable `scroll-behavior` as well.
+- CSS prefixes are no longer needed.
+
+## 0.2.0
+
+- Actually disable the animations.
+- `0` is not a valid value for the `animation-duration` property.
+
+## 0.1.1
+
+- Use prefix methods too (PhantomJS needed the `-webkit` prefix).
+
+## 0.1.0
+
+- Initial release.

data/Rakefile

@@ -1,2 +1,10 @@
 require "bundler/gem_tasks"
+require "rake/testtask"
 
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/test_*.rb"]
+end
+
+task default: :test

data/lib/rack/disable_css_animations/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class DisableCSSAnimations
-    VERSION = "0.4.0"
+    VERSION = "0.5.1"
   end
 end

data/lib/rack/disable_css_animations.rb

@@ -4,7 +4,11 @@ module Rack
   class DisableCSSAnimations
     if defined?(Rails)
       class Rails < Rails::Railtie
-        config.app_middleware.use DisableCSSAnimations
+        initializer "rack-disable_css_animations.insert_middleware" do |app|
+          app.middleware.insert_before ActionDispatch::ContentSecurityPolicy::Middleware, DisableCSSAnimations
+        rescue RuntimeError
+          app.middleware.use DisableCSSAnimations
+        end
       end
     end
 
@@ -16,6 +20,8 @@ module Rack
       @status, @headers, @body = @app.call(env)
       return [@status, @headers, @body] unless html?
 
+      @style_nonce = directive_nonces["style-src"]
+
       response = Rack::Response.new([], @status, @headers)
       @body.each do |fragment|
         response.write inject(fragment)
@@ -31,9 +37,31 @@ module Rack
       @headers["Content-Type"] =~ /html/
     end
 
+    def csp_header
+      @headers["Content-Security-Policy"] ||
+        @headers["content-security-policy"] ||
+        @headers["Content-Security-Policy-Report-Only"] ||
+        @headers["content-security-policy-report-only"] ||
+        ""
+    end
+
+    def directive_nonces
+      csp_header.split(";").each_with_object({}) do |directive, nonces|
+        tokens = directive.split
+        name = tokens.shift
+        next unless name
+        nonce = tokens.find { |t| t =~ /\A'nonce-(.+)'\z/ } && $1
+        nonces[name] = nonce if nonce
+      end
+    end
+
+    def style_tag
+      @style_nonce ? %(<style nonce="#{@style_nonce}">) : "<style>"
+    end
+
     def inject response
       markup = <<-CSS
-        <style>
+        #{style_tag}
           * {
             animation-delay: 0s !important;
             animation-duration: 0.01s !important;

data/rack-disable_css_animations.gemspec

@@ -22,4 +22,6 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency "bundler"
   spec.add_development_dependency "rake"
+  spec.add_development_dependency "minitest"
+  spec.add_development_dependency "rack-test"
 end

data/test/test_disable_css_animations.rb

@@ -0,0 +1,110 @@
+require "minitest/autorun"
+require "rack/test"
+require "rack/disable_css_animations"
+
+class TestDisableCSSAnimations < Minitest::Test
+  include Rack::Test::Methods
+
+  HTML_BODY = "<html><head><title>Test</title></head><body>hi</body></html>"
+
+  attr_accessor :response_status, :response_headers, :response_body
+
+  def app
+    outer_self = self
+    Rack::DisableCSSAnimations.new(lambda do |_env|
+      [outer_self.response_status, outer_self.response_headers, [outer_self.response_body]]
+    end)
+  end
+
+  def setup
+    self.response_status = 200
+    self.response_headers = { "Content-Type" => "text/html" }
+    self.response_body = HTML_BODY
+  end
+
+  def test_non_html_response_is_passed_through_unchanged
+    self.response_headers = { "Content-Type" => "application/json" }
+    self.response_body = %({"foo":"bar"})
+
+    get "/"
+
+    assert_equal %({"foo":"bar"}), last_response.body
+  end
+
+  def test_html_response_injects_style_tag
+    get "/"
+
+    assert_includes last_response.body, "<style>"
+    assert_includes last_response.body, "animation-duration: 0.01s !important"
+    refute_includes last_response.body, "nonce="
+  end
+
+  def test_injects_before_closing_head
+    get "/"
+
+    style_index = last_response.body.index("<style")
+    head_close_index = last_response.body.index("</head>")
+    assert style_index < head_close_index
+  end
+
+  def test_style_src_nonce_is_copied_onto_style_tag
+    self.response_headers["Content-Security-Policy"] = "style-src 'nonce-abc123' 'self'; script-src 'nonce-xyz789'"
+
+    get "/"
+
+    assert_includes last_response.body, %(<style nonce="abc123">)
+    refute_includes last_response.body, "<style>"
+  end
+
+  def test_csp_without_style_src_nonce_injects_plain_style_tag
+    self.response_headers["Content-Security-Policy"] = "default-src 'self'; script-src 'nonce-xyz789'"
+
+    get "/"
+
+    assert_includes last_response.body, "<style>"
+    refute_includes last_response.body, "nonce="
+  end
+
+  def test_csp_with_style_src_but_no_nonce_injects_plain_style_tag
+    self.response_headers["Content-Security-Policy"] = "style-src 'self' 'unsafe-inline'"
+
+    get "/"
+
+    assert_includes last_response.body, "<style>"
+    refute_includes last_response.body, "nonce="
+  end
+
+  def test_lowercase_csp_header_is_also_recognized
+    self.response_headers = { "Content-Type" => "text/html", "content-security-policy" => "style-src 'nonce-lower1'" }
+
+    get "/"
+
+    assert_includes last_response.body, %(<style nonce="lower1">)
+  end
+
+  def test_report_only_csp_header_nonce_is_used_when_enforcing_header_absent
+    self.response_headers["Content-Security-Policy-Report-Only"] = "style-src 'nonce-reportonly1'"
+
+    get "/"
+
+    assert_includes last_response.body, %(<style nonce="reportonly1">)
+  end
+
+  def test_lowercase_report_only_csp_header_is_also_recognized
+    self.response_headers = { "Content-Type" => "text/html", "content-security-policy-report-only" => "style-src 'nonce-reportonly2'" }
+
+    get "/"
+
+    assert_includes last_response.body, %(<style nonce="reportonly2">)
+  end
+
+  def test_enforcing_header_takes_precedence_over_report_only
+    self.response_headers["Content-Security-Policy"] = "style-src 'nonce-enforced'"
+    self.response_headers["Content-Security-Policy-Report-Only"] = "style-src 'nonce-reportonly'"
+
+    get "/"
+
+    assert_includes last_response.body, %(<style nonce="enforced">)
+    refute_includes last_response.body, "reportonly"
+  end
+end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rack-disable_css_animations
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.1
 platform: ruby
 authors:
 - Micah Geisel
-autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-08-19 00:00:00.000000000 Z
+date: 2026-04-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -52,6 +51,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Rack middleware to disable CSS animations sitewide. Useful for making
   acceptance tests quicker and more deterministic.
 email:
@@ -61,7 +88,9 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/main.yml"
 - ".gitignore"
+- CHANGELOG.md
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -71,11 +100,11 @@ files:
 - lib/rack/disable_css_animations.rb
 - lib/rack/disable_css_animations/version.rb
 - rack-disable_css_animations.gemspec
+- test/test_disable_css_animations.rb
 homepage: https://github.com/botandrose/rack-disable_css_animations
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -90,8 +119,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.32
-signing_key: 
+rubygems_version: 3.6.2
 specification_version: 4
 summary: Rack middleware to disable CSS animations sitewide.
-test_files: []
+test_files:
+- test/test_disable_css_animations.rb