Add CSP nonce when handling JS views

Prevents errors when we have CSP enabled

Add CSP nonce when handling JS views
Prevents errors when we have CSP enabled
29f1ab6b · Heinrich Lee Yu · 1d5f5aa8 · 29f1ab6b
隐藏空白更改
内联并排

Showing with 16 addition and 1 deletion

app/assets/javascripts/main.js app/assets/javascripts/main.js +16 -1

未找到文件。
--- a/app/assets/javascripts/main.js
+++ b/app/assets/javascripts/main.js
@@ -9,7 +9,11 @@ import './commons';
 import './behaviors';

 // lib/utils
-import { handleLocationHash, addSelectOnFocusBehaviour } from './lib/utils/common_utils';
+import {
+  handleLocationHash,
+  addSelectOnFocusBehaviour,
+  getCspNonceValue,
+} from './lib/utils/common_utils';
 import { localTimeAgo } from './lib/utils/datetime_utility';
 import { getLocationHash, visitUrl } from './lib/utils/url_utility';

@@ -39,6 +43,17 @@ import 'ee_else_ce/main_ee';
 window.jQuery = jQuery;
 window.$ = jQuery;

+// Add nonce to jQuery script handler
+jQuery.ajaxSetup({
+  converters: {
+    // eslint-disable-next-line @gitlab/i18n/no-non-i18n-strings, func-names
+    'text script': function(text) {
+      jQuery.globalEval(text, { nonce: getCspNonceValue() });
+      return text;
+    },
+  },
+});
+
 // inject test utilities if necessary
 if (process.env.NODE_ENV !== 'production' && gon && gon.test_env) {
  $.fx.off = true;