only render nonce attribute if nonce provided and fix tests

tompave · Apr 5, 2024 · b05dc84 · b05dc84
1 parent 00d1ea5
commit b05dc84
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 11 deletions.
diff --git a/lib/fun_with_flags/ui/templates.ex b/lib/fun_with_flags/ui/templates.ex
@@ -84,7 +84,10 @@ defmodule FunWithFlags.UI.Templates do
   end
 
   def csp_nonce(conn, type) do
-    csp_nonce_assign_key = conn.private.csp_nonce_assign_key[type]
-    conn.assigns[csp_nonce_assign_key]
+    assign_key = conn.private[:csp_nonce_assign_key][type]
+    case conn.assigns[assign_key] do
+      nil -> ""
+      nonce -> "nonce=\"#{nonce}\""
+    end
   end
 end
diff --git a/lib/fun_with_flags/ui/templates/_head.html.eex b/lib/fun_with_flags/ui/templates/_head.html.eex
@@ -2,6 +2,6 @@
   <meta charset="utf-8">
   <title>FunWithFlags - <%= @title %></title>
 
-  <link nonce="<%= csp_nonce(@conn, :style) %>" rel="stylesheet" href="<%= path(@conn, "/assets/bootstrap.min.css") %>">
-  <link nonce="<%= csp_nonce(@conn, :style) %>" rel="stylesheet" href="<%= path(@conn, "/assets/style.css") %>">
+  <link <%= csp_nonce(@conn, :style) %> rel="stylesheet" href="<%= path(@conn, "/assets/bootstrap.min.css") %>">
+  <link <%= csp_nonce(@conn, :style) %> rel="stylesheet" href="<%= path(@conn, "/assets/style.css") %>">
 </head>
diff --git a/lib/fun_with_flags/ui/templates/details.html.eex b/lib/fun_with_flags/ui/templates/details.html.eex
@@ -140,6 +140,6 @@
         </div>
       </div>
     </div>
-    <script nonce="<%= csp_nonce(@conn, :script) %>" type="text/javascript" src="<%= path(@conn, "/assets/details.js") %>"></script>
+    <script <%= csp_nonce(@conn, :script) %> type="text/javascript" src="<%= path(@conn, "/assets/details.js") %>"></script>
   </body>
 </html>
diff --git a/test/fun_with_flags/ui/templates_test.exs b/test/fun_with_flags/ui/templates_test.exs
@@ -12,12 +12,8 @@ defmodule FunWithFlags.UI.TemplatesTest do
   end
 
   setup do
-    conn =
-      %Plug.Conn{}
-      |> Plug.Conn.assign(:namespace, "/pear")
-      |> Plug.Conn.put_private(:csp_nonce_assign_key, %{style: :style_key, script: :script_key})
-      |> Plug.Conn.assign(:csrf_token, Plug.CSRFProtection.get_csrf_token())
-
+    conn = Plug.Conn.assign(%Plug.Conn{}, :namespace, "/pear")
+    conn = Plug.Conn.assign(conn, :csrf_token, Plug.CSRFProtection.get_csrf_token())
     {:ok, conn: conn}
   end
 
@@ -190,4 +186,20 @@ defmodule FunWithFlags.UI.TemplatesTest do
       assert String.contains?(out, ~s{The flag <strong>watermelon</strong> doesn't exist.})
     end
   end
+
+  describe "CSP nonce" do
+    test "it includes a CSP nonce if provided", %{conn: conn} do
+      flag = %Flag{name: :avocado, gates: []}
+
+      conn =
+        conn
+        |> Plug.Conn.put_private(:csp_nonce_assign_key, %{script: :script_nonce, style: :style_nonce})
+        |> Plug.Conn.assign(:script_nonce, "honeydew")
+        |> Plug.Conn.assign(:style_nonce, "watermelon")
+
+      out = Templates.details(conn: conn, flag: flag)
+      assert String.contains?(out, ~s{<script nonce="honeydew"})
+      assert String.contains?(out, ~s{<link nonce="watermelon"})
+    end
+  end
 end
-Original file line number
+Diff line change
@@ Expand Up / @@ -140,6 +140,6 @@ @@
             </div>
           </div>
         </div>
-        <script nonce="<%= csp_nonce(@conn, :script) %>" type="text/javascript" src="<%= path(@conn, "/assets/details.js") %>"></script>
+        <script <%= csp_nonce(@conn, :script) %> type="text/javascript" src="<%= path(@conn, "/assets/details.js") %>"></script>
       </body>
     </html>