Add CSP nonce when handling JS viewsadd-nonce-js-views

Prevents errors when we have CSP enabled
author: Heinrich Lee Yu <heinrich@gitlab.com> 2019-08-15 14:42:01 +0800
committer: Heinrich Lee Yu <heinrich@gitlab.com> 2019-08-22 06:53:53 +0800
commit: 29f1ab6b526f35308dc320ce342f6bdb2e331e55 (patch)
tree: 0e619f78210732e74485201738ae86a4389967fa
parent: 1d5f5aa896a38104c375ac6ddd168d03d408f05e (diff)
download: gitlab-ce-add-nonce-js-views.tar.gz
1 files changed, 16 insertions, 1 deletions
diff --git a/app/assets/javascripts/main.js b/app/assets/javascripts/main.js
index ba33d72b1f3..39f2097c174 100644
--- a/app/assets/javascripts/main.js
+++ b/app/assets/javascripts/main.js
@@ -9,7 +9,11 @@ import './commons';
 import './behaviors';
 
 // lib/utils
-import { handleLocationHash, addSelectOnFocusBehaviour } from './lib/utils/common_utils';
+import {
+  handleLocationHash,
+  addSelectOnFocusBehaviour,
+  getCspNonceValue,
+} from './lib/utils/common_utils';
 import { localTimeAgo } from './lib/utils/datetime_utility';
 import { getLocationHash, visitUrl } from './lib/utils/url_utility';
 
@@ -39,6 +43,17 @@ import 'ee_else_ce/main_ee';
 window.jQuery = jQuery;
 window.$ = jQuery;
 
+// Add nonce to jQuery script handler
+jQuery.ajaxSetup({
+  converters: {
+    // eslint-disable-next-line @gitlab/i18n/no-non-i18n-strings, func-names
+    'text script': function(text) {
+      jQuery.globalEval(text, { nonce: getCspNonceValue() });
+      return text;
+    },
+  },
+});
+
 // inject test utilities if necessary
 if (process.env.NODE_ENV !== 'production' && gon && gon.test_env) {
   $.fx.off = true;
author	Heinrich Lee Yu <heinrich@gitlab.com>	2019-08-15 14:42:01 +0800
committer	Heinrich Lee Yu <heinrich@gitlab.com>	2019-08-22 06:53:53 +0800
commit	29f1ab6b526f35308dc320ce342f6bdb2e331e55 (patch)
tree	0e619f78210732e74485201738ae86a4389967fa
parent	1d5f5aa896a38104c375ac6ddd168d03d408f05e (diff)
download	gitlab-ce-add-nonce-js-views.tar.gz