From 5932e9750c03faec00307622c23e4422fe163746 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 17 Dec 2025 21:45:30 +0000
Subject: [PATCH 1/5] Initial plan
From 9b8201a79ee63d5a065e9ddb3cf6a2fb3d4dee31 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 17 Dec 2025 21:54:53 +0000
Subject: [PATCH 2/5] Fix content_security_policy_nonce to work without
parameters for Rails compatibility
Co-authored-by: fletchto99 <718681+fletchto99@users.noreply.github.com>
---
lib/secure_headers/view_helper.rb | 5 +-
spec/lib/secure_headers/view_helpers_spec.rb | 59 ++++++++++++++++++++
2 files changed, 63 insertions(+), 1 deletion(-)
diff --git a/lib/secure_headers/view_helper.rb b/lib/secure_headers/view_helper.rb
index 7ed57311..7ffb2a93 100644
--- a/lib/secure_headers/view_helper.rb
+++ b/lib/secure_headers/view_helper.rb
@@ -65,8 +65,11 @@ def nonced_stylesheet_pack_tag(*args, &block)
# Public: use the content security policy nonce for this request directly.
# Instructs secure_headers to append a nonce to style/script-src directives.
#
+ # type - The type of nonce to generate (:script or :style). Defaults to :script
+ # to match Rails' content_security_policy_nonce behavior.
+ #
# Returns a non-html-safe nonce value.
- def _content_security_policy_nonce(type)
+ def _content_security_policy_nonce(type = :script)
case type
when :script
SecureHeaders.content_security_policy_script_nonce(@_request)
diff --git a/spec/lib/secure_headers/view_helpers_spec.rb b/spec/lib/secure_headers/view_helpers_spec.rb
index 2a7f56ed..658b8467 100644
--- a/spec/lib/secure_headers/view_helpers_spec.rb
+++ b/spec/lib/secure_headers/view_helpers_spec.rb
@@ -188,5 +188,64 @@ module SecureHeaders
expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).not_to match(/rails-nonce/)
end
end
+
+ it "supports calling content_security_policy_nonce without parameters (Rails compatibility)" do
+ begin
+ allow(SecureRandom).to receive(:base64).and_return("xyz789")
+
+ # Create a test class that simulates what GoodJob does
+ # They call content_security_policy_nonce without any parameters
+ test_class = Class.new(Message) do
+ def self.template
+ <<-TEMPLATE
+
+TEMPLATE
+ end
+ end
+
+ message = test_class.new(request)
+ result = message.result
+
+ # The nonce should be included in the rendered output
+ expect(result).to include('nonce="xyz789"')
+
+ # Call middleware to generate headers
+ _, env = middleware.call request.env
+
+ # The nonce should be added to script-src in the CSP header (default behavior)
+ expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'nonce-xyz789'/)
+ end
+ end
+
+ it "supports calling content_security_policy_nonce with :style parameter" do
+ begin
+ allow(SecureRandom).to receive(:base64).and_return("style123")
+
+ # Create a test class that calls content_security_policy_nonce with :style
+ test_class = Class.new(Message) do
+ def self.template
+ <<-TEMPLATE
+
+TEMPLATE
+ end
+ end
+
+ message = test_class.new(request)
+ result = message.result
+
+ # The nonce should be included in the rendered output
+ expect(result).to include('nonce="style123"')
+
+ # Call middleware to generate headers
+ _, env = middleware.call request.env
+
+ # The nonce should be added to style-src in the CSP header
+ expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'nonce-style123'/)
+ end
+ end
end
end
From 3ba2401ab83586f2999b34dd50905270bff50a87 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 17 Dec 2025 21:58:43 +0000
Subject: [PATCH 3/5] Fix rubocop trailing whitespace issues
Co-authored-by: fletchto99 <718681+fletchto99@users.noreply.github.com>
---
spec/lib/secure_headers/view_helpers_spec.rb | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/spec/lib/secure_headers/view_helpers_spec.rb b/spec/lib/secure_headers/view_helpers_spec.rb
index 658b8467..4c2b91d8 100644
--- a/spec/lib/secure_headers/view_helpers_spec.rb
+++ b/spec/lib/secure_headers/view_helpers_spec.rb
@@ -204,16 +204,16 @@ def self.template
TEMPLATE
end
end
-
+
message = test_class.new(request)
result = message.result
-
+
# The nonce should be included in the rendered output
expect(result).to include('nonce="xyz789"')
-
+
# Call middleware to generate headers
_, env = middleware.call request.env
-
+
# The nonce should be added to script-src in the CSP header (default behavior)
expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'nonce-xyz789'/)
end
@@ -233,16 +233,16 @@ def self.template
TEMPLATE
end
end
-
+
message = test_class.new(request)
result = message.result
-
+
# The nonce should be included in the rendered output
expect(result).to include('nonce="style123"')
-
+
# Call middleware to generate headers
_, env = middleware.call request.env
-
+
# The nonce should be added to style-src in the CSP header
expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'nonce-style123'/)
end
From b6fb70367b7d920c1db7d2c4b991a67a55d37f66 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 17 Dec 2025 22:01:09 +0000
Subject: [PATCH 4/5] Address code review feedback: remove unnecessary begin
blocks
Co-authored-by: fletchto99 <718681+fletchto99@users.noreply.github.com>
---
spec/lib/secure_headers/view_helpers_spec.rb | 62 +++++++++-----------
1 file changed, 29 insertions(+), 33 deletions(-)
diff --git a/spec/lib/secure_headers/view_helpers_spec.rb b/spec/lib/secure_headers/view_helpers_spec.rb
index 4c2b91d8..ffd8063b 100644
--- a/spec/lib/secure_headers/view_helpers_spec.rb
+++ b/spec/lib/secure_headers/view_helpers_spec.rb
@@ -190,62 +190,58 @@ module SecureHeaders
end
it "supports calling content_security_policy_nonce without parameters (Rails compatibility)" do
- begin
- allow(SecureRandom).to receive(:base64).and_return("xyz789")
+ allow(SecureRandom).to receive(:base64).and_return("xyz789")
- # Create a test class that simulates what GoodJob does
- # They call content_security_policy_nonce without any parameters
- test_class = Class.new(Message) do
- def self.template
- <<-TEMPLATE
+ # Create a test class that simulates what GoodJob does
+ # They call content_security_policy_nonce without any parameters
+ test_class = Class.new(Message) do
+ def self.template
+ <<-TEMPLATE
TEMPLATE
- end
end
+ end
- message = test_class.new(request)
- result = message.result
+ message = test_class.new(request)
+ result = message.result
- # The nonce should be included in the rendered output
- expect(result).to include('nonce="xyz789"')
+ # The nonce should be included in the rendered output
+ expect(result).to include('nonce="xyz789"')
- # Call middleware to generate headers
- _, env = middleware.call request.env
+ # Call middleware to generate headers
+ _, env = middleware.call request.env
- # The nonce should be added to script-src in the CSP header (default behavior)
- expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'nonce-xyz789'/)
- end
+ # The nonce should be added to script-src in the CSP header (default behavior)
+ expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'nonce-xyz789'/)
end
it "supports calling content_security_policy_nonce with :style parameter" do
- begin
- allow(SecureRandom).to receive(:base64).and_return("style123")
+ allow(SecureRandom).to receive(:base64).and_return("style123")
- # Create a test class that calls content_security_policy_nonce with :style
- test_class = Class.new(Message) do
- def self.template
- <<-TEMPLATE
+ # Create a test class that calls content_security_policy_nonce with :style
+ test_class = Class.new(Message) do
+ def self.template
+ <<-TEMPLATE
TEMPLATE
- end
end
+ end
- message = test_class.new(request)
- result = message.result
+ message = test_class.new(request)
+ result = message.result
- # The nonce should be included in the rendered output
- expect(result).to include('nonce="style123"')
+ # The nonce should be included in the rendered output
+ expect(result).to include('nonce="style123"')
- # Call middleware to generate headers
- _, env = middleware.call request.env
+ # Call middleware to generate headers
+ _, env = middleware.call request.env
- # The nonce should be added to style-src in the CSP header
- expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'nonce-style123'/)
- end
+ # The nonce should be added to style-src in the CSP header
+ expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'nonce-style123'/)
end
end
end
From bd6196a3291d0a367bb651896191bf7c3791f67c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 17 Dec 2025 22:02:15 +0000
Subject: [PATCH 5/5] Improve documentation clarity based on code review
feedback
Co-authored-by: fletchto99 <718681+fletchto99@users.noreply.github.com>
---
lib/secure_headers/view_helper.rb | 4 ++--
spec/lib/secure_headers/view_helpers_spec.rb | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/lib/secure_headers/view_helper.rb b/lib/secure_headers/view_helper.rb
index 7ffb2a93..d1ad8c60 100644
--- a/lib/secure_headers/view_helper.rb
+++ b/lib/secure_headers/view_helper.rb
@@ -65,8 +65,8 @@ def nonced_stylesheet_pack_tag(*args, &block)
# Public: use the content security policy nonce for this request directly.
# Instructs secure_headers to append a nonce to style/script-src directives.
#
- # type - The type of nonce to generate (:script or :style). Defaults to :script
- # to match Rails' content_security_policy_nonce behavior.
+ # type - (optional) The type of nonce to generate (:script or :style).
+ # Defaults to :script to match Rails' content_security_policy_nonce behavior.
#
# Returns a non-html-safe nonce value.
def _content_security_policy_nonce(type = :script)
diff --git a/spec/lib/secure_headers/view_helpers_spec.rb b/spec/lib/secure_headers/view_helpers_spec.rb
index ffd8063b..210ea04c 100644
--- a/spec/lib/secure_headers/view_helpers_spec.rb
+++ b/spec/lib/secure_headers/view_helpers_spec.rb
@@ -192,8 +192,8 @@ module SecureHeaders
it "supports calling content_security_policy_nonce without parameters (Rails compatibility)" do
allow(SecureRandom).to receive(:base64).and_return("xyz789")
- # Create a test class that simulates what GoodJob does
- # They call content_security_policy_nonce without any parameters
+ # Create a test class that simulates Rails-compatible usage
+ # where content_security_policy_nonce is called without any parameters
test_class = Class.new(Message) do
def self.template
<<-TEMPLATE