Add default parameter to content_security_policy_nonce for Rails compatibility

[Copilot]

Third-party gems (e.g., GoodJob) call content_security_policy_nonce without parameters, expecting Rails' default behavior. SecureHeaders required an explicit :script or :style parameter, causing these calls to return nil and nonces to be omitted from CSP headers.

Changes

• lib/secure_headers/view_helper.rb: Added default parameter type = :script to _content_security_policy_nonce to match Rails' ActionController::ContentSecurityPolicy behavior
• spec/lib/secure_headers/view_helpers_spec.rb: Added tests for parameterless invocation and explicit :style parameter

Example

<!-- Now works without parameters (previously returned nil) -->
<script nonce="<%= content_security_policy_nonce %>">
  console.log("nonce applied");
</script>

<!-- Explicit parameter still supported -->
<style nonce="<%= content_security_policy_nonce(:style) %>">
  body { background: red; }
</style>

Backward compatible - existing code calling with explicit parameters unchanged.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• coveralls.io
  • Triggering command: /usr/bin/ruby ruby -I lib:spec -r spec_helper spec/lib/secure_headers/view_helpers_spec.rb -j ACCEPT (dns block)
  • Triggering command: /usr/bin/ruby ruby -I lib:spec -r spec_helper spec/lib/secure_headers/view_helpers_spec.rb (dns block)
  • Triggering command: /home/REDACTED/.local/share/gem/ruby/3.2.0/bin/rspec rspec spec/lib/secure_headers/view_helpers_spec.rb (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>content_security_policy_nonce calls Rails method so CSP does not contain nonce</issue_title>
<issue_description>### Expected outcome
I am using GoodJob to process jobs on Rails 6. The GoodJob dashboard includes a number of scripts and styles. These all have nonces set using the content_security_policy_nonce method.

 <%= tag.script "", src: frontend_static_path(:bootstrap, format: :js, v: GoodJob::VERSION, locale: nil), nonce: content_security_policy_nonce %>

(link to code)

I would expect Secure Headers to set the nonce in the CSP header so that these scripts are permitted.

Actual outcome

No nonce is set in the CSP header. I think that Rails' own content_security_policy_nonce method is being called rather than the Secure Headers method of the same name. This means that the CSP set by Secure Headers doesn't include the nonce, and the scripts and styles are therefore not permitted.

I know that recommend practice when using Secure Headers is to use the nonced_javascript_tag method, but since this is in a gem I can't do that.

Possible related issues:

• Method conflicting content_security_policy_nonce with Rails 5.2 #392
• Avoid calling content_security_policy_nonce internally #389

Config

SecureHeaders::Configuration.default do |config|
  config.hsts = "max-age=#{1.year.to_i}; includeSubDomains; preload"
  config.x_frame_options = 'DENY'
  config.x_content_type_options = 'nosniff'
  config.x_xss_protection = '1; mode=block'
  config.x_download_options = 'noopen'
  config.x_permitted_cross_domain_policies = 'none'
  config.referrer_policy = %w[origin-when-cross-origin
                              strict-origin-when-cross-origin]
  config.csp = {
    default_src: %w['none'],
    script_src: %w['self' http://www.google-analytics.com],
    connect_src: %w['self'],
    frame_ancestors: %w['none'],
    font_src: %w['self' data: https://fonts.gstatic.com],
    img_src: %w['self' data: https://validator.swagger.io],
    style_src: %w['self' https://fonts.googleapis.com],
  }
end

Generated headers

default-src 'none'; connect-src 'self'; font-src 'self' data: fonts.gstatic.com; frame-ancestors 'none'; img-src 'self' data: validator.swagger.io; script-src 'self' www.google-analytics.com; style-src 'self' fonts.googleapis.com

</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes content_security_policy_nonce calls Rails method so CSP does not contain nonce #511

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[rei-moo]

I don't believe this approach will solve the general case, although it may fix cases where an implementer can explicitly call a parameterized version of content_security_policy_nonce.

We need to address the conflict by making sure that the nonce we provide will be used in a context where the application expects to call Rails' CSP. Alternatively there may be a mismatch in how we share the nonce value within CSP headers and how we use nonced_javascript_tag but I still need to investigate that to understand it fully.

Idea: We may be able to use our initializer / activesupport hook to prepend our SecureHeaders classes ensuring that our version of of content_security_policy_nonce is called rather than Rails'.