Using React on Rails with CSP and nonce

[joshuacronemeyer]

Hi all,

I've been unable to find any docs about how to use react on rails when our server has a CSP setup. I believe that the initial script tag that react on rails renders needs to include the nonce. Can you help me figure out how to add the nonce attribute to the react on rails script tag?

Here is the rails guide for CSP/nonce configuration. https://guides.rubyonrails.org/security.html#adding-a-nonce

Thanks in advance,
Josh Cronemeyer

[Judahmeek]

The ReactOnRails script itself doesn't need a nonce if you're able to use policy.script_src :self, :https,.

If you really need a nonce, then I believe the html_options parameter should satisfy your needs.

Side Note: You can also give the nonce to the component as a prop, which may be necessary for resolving CSP violations by certain CSS-in-JS & animation libraries. (I remember forking react-spinners to support a nonce before). I also had to replace dynamic inline styles with dynamic classes & CSS modules for the same client.

[justin808]

Hi @joshuacronemeyer, I saw you're using React on Rails at https://app.trucentive.com/users/sign_up. Cool!

Feel free to book a time with me if you think my team and I can help further: https://meetings.hubspot.com/justingordon/30-minute-consultation.