Use correct CSP nonce behavior when 'unsafe-inline' is set (#1041)

* fix: use correct CSP nonce behavior when 'unsafe-inline' is set

* chore: pin rexml to ruby v2.0 compatible version for Rails 3 ci config

* style: remove historical context from comment

Author: waltjones

Gemfile

@@ -74,6 +74,7 @@ gem 'redis'
 gem 'resque', '< 2.0.0'
 gem 'rubocop', '~> 0.93.0', :require => false
 gem 'rubocop-performance', :require => false
+gem 'secure_headers', '~> 6.3.2', :require => false
 gem 'sinatra'
 gem 'webmock', :require => false
 gemspec

gemfiles/rails50.gemfile

@@ -45,6 +45,7 @@ gem 'generator_spec'
 gem 'girl_friday', '>= 0.11.1'
 gem 'redis', '<= 3.3.5'
 gem 'resque'
+gem 'secure_headers', '~> 6.3.2', :require => false
 
 unless is_jruby
   # JRuby doesn't support fork, which is required for this test helper.

gemfiles/rails51.gemfile

@@ -46,6 +46,7 @@ gem 'generator_spec'
 gem 'girl_friday', '>= 0.11.1'
 gem 'redis', '<= 3.3.5'
 gem 'resque'
+gem 'secure_headers', '~> 6.3.2', :require => false
 
 unless is_jruby
   # JRuby doesn't support fork, which is required for this test helper.

gemfiles/rails52.gemfile

@@ -38,6 +38,7 @@ gem 'generator_spec'
 gem 'girl_friday', '>= 0.11.1'
 gem 'redis'
 gem 'resque'
+gem 'secure_headers', '~> 6.3.2', :require => false
 gem 'simplecov', '<= 0.17.1'
 
 unless is_jruby

gemfiles/rails60.gemfile

@@ -35,6 +35,7 @@ gem 'generator_spec'
 gem 'girl_friday', '>= 0.11.1'
 gem 'redis'
 gem 'resque'
+gem 'secure_headers', '~> 6.3.2', :require => false
 gem 'simplecov'
 
 unless is_jruby

gemfiles/rails61.gemfile

@@ -34,6 +34,7 @@ gem 'generator_spec'
 gem 'girl_friday', '>= 0.11.1'
 gem 'redis'
 gem 'resque'
+gem 'secure_headers', '~> 6.3.2', :require => false
 gem 'simplecov'
 
 unless is_jruby

lib/rollbar/middleware/js.rb

@@ -157,8 +157,7 @@ def js_snippet
       def script_tag(content, env)
         if (nonce = rails5_nonce(env))
           script_tag_content = "\n<script type=\"text/javascript\" nonce=\"#{nonce}\">#{content}</script>"
-        elsif secure_headers_nonce?
-          nonce = ::SecureHeaders.content_security_policy_script_nonce(::Rack::Request.new(env))
+        elsif (nonce = secure_headers_nonce(env))
           script_tag_content = "\n<script type=\"text/javascript\" nonce=\"#{nonce}\">#{content}</script>"
         else
           script_tag_content = "\n<script type=\"text/javascript\">#{content}</script>"
@@ -172,28 +171,40 @@ def html_safe_if_needed(string)
         string
       end
 
-      # Rails 5.2 Secure Content Policy
+      # Rails 5.2+ Secure Content Policy
       def rails5_nonce(env)
-        # The nonce is the preferred method, however 'unsafe-inline' is also possible.
-        # The app gets to decide, so we handle both. If the script_src key is missing,
-        # Rails will not add the nonce to the headers, so we should not add it either.
-        # If the 'unsafe-inline' value is present, the app should not add a nonce and
-        # we should ignore it if they do.
-        req = ::ActionDispatch::Request.new env
+        req = ::ActionDispatch::Request.new(env)
+
+        # Rails will only return a nonce if the app has set a nonce generator.
+        # So if we get a valid nonce here, we know we should use it.
+        #
+        # Having both 'unsafe-inline' and a nonce is a valid and preferred
+        # browser compatibility configuration.
+        #
+        # If the script_src key is missing, Rails will not add the nonce to the headers,
+        # so we detect this and will not add it in this case.
         req.respond_to?(:content_security_policy) &&
           req.content_security_policy &&
           req.content_security_policy.directives['script-src'] &&
           req.content_security_policy_nonce
       end
 
       # Secure Headers gem
-      def secure_headers_nonce?
-        secure_headers.append_nonce?
+      def secure_headers_nonce(env)
+        req = ::Rack::Request.new(env)
+
+        return unless secure_headers(req).append_nonce?
+
+        ::SecureHeaders.content_security_policy_script_nonce(req)
       end
 
-      def secure_headers
+      def secure_headers(req)
         return SecureHeadersFalse.new unless defined?(::SecureHeaders::Configuration)
 
+        # If the nonce key has been set, the app is using nonces for this request.
+        # If it hasn't, we shouldn't cause one to be added to script_src, so return now.
+        return SecureHeadersFalse.new unless secure_headers_nonce_key(req)
+
         config = ::SecureHeaders::Configuration
 
         secure_headers_cls = nil
@@ -211,6 +222,10 @@ def secure_headers
         secure_headers_cls.new
       end
 
+      def secure_headers_nonce_key(req)
+        defined?(::SecureHeaders::NONCE_KEY) && req.env[::SecureHeaders::NONCE_KEY]
+      end
+
       class SecureHeadersResolver
         def append_nonce?
           csp_needs_nonce?(find_csp)

spec/dummyapp/app/controllers/home_controller.rb

@@ -48,6 +48,13 @@ def test_rollbar_js
     render 'js/test', :layout => 'simple'
   end
 
+  def test_rollbar_js_with_nonce
+    # Cause a secure_headers nonce to be added to script_src
+    ::SecureHeaders.content_security_policy_script_nonce(request)
+
+    render 'js/test', :layout => 'simple'
+  end
+
   def file_upload
     _this = will_crash
   end

spec/dummyapp/config/routes.rb

@@ -16,4 +16,5 @@
   get '/set_session_data' => 'home#set_session_data'
   get '/use_session_data' => 'home#use_session_data'
   get '/test_rollbar_js' => 'home#test_rollbar_js'
+  get '/test_rollbar_js_with_nonce' => 'home#test_rollbar_js_with_nonce'
 end

spec/rollbar/middleware/js_spec.rb

@@ -34,7 +34,7 @@
 describe Rollbar::Middleware::Js do
   subject { described_class.new(app, config) }
 
-  let(:env) { {} }
+  let(:env) { { SecureHeadersMocks::NONCE_KEY => SecureHeadersMocks::NONCE } }
   let(:config) { {} }
   let(:app) do
     proc do |_|
@@ -421,7 +421,7 @@
         let(:body) { [html] }
         let(:status) { 200 }
         let(:headers) do
-          { 
+          {
             'Content-Type' => content_type,
             'Content-Length' => html.bytesize
           }