From 5da5d1b34e438cd7aaacf7ed22562d4d8667958e Mon Sep 17 00:00:00 2001
From: oz-tal <979951+oz-tal@users.noreply.github.com>
Date: Fri, 6 Jun 2025 22:20:46 -0400
Subject: [PATCH] Add nonce to css/js tags

Ensure css/js tags comply with the CSP nonce (if one is defined).
---
 app/views/layouts/rails_admin/_head.html.erb | 17 +++++++++--------
 app/views/rails_admin/main/index.html.erb    |  2 +-
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/app/views/layouts/rails_admin/_head.html.erb b/app/views/layouts/rails_admin/_head.html.erb
index 43ce0096d..319be4230 100644
--- a/app/views/layouts/rails_admin/_head.html.erb
+++ b/app/views/layouts/rails_admin/_head.html.erb
@@ -4,22 +4,23 @@
 <meta content="NONE,NOARCHIVE" name="robots">
 <meta content="false" name="turbo-prefetch">
 <%= csrf_meta_tag %>
+<%= csp_meta_tag %>
 <% case RailsAdmin::config.asset_source
    when :webpacker %>
-  <%= stylesheet_pack_tag "rails_admin", data: {'turbo-track': 'reload'} %>
-  <%= javascript_pack_tag "rails_admin", defer: true, data: {'turbo-track': 'reload'} %>
+  <%= stylesheet_pack_tag "rails_admin", data: {'turbo-track': 'reload'}, nonce: true %>
+  <%= javascript_pack_tag "rails_admin", defer: true, data: {'turbo-track': 'reload'}, nonce: true %>
 <% when :sprockets %>
   <% handle_asset_dependency_error do %>
-    <%= stylesheet_link_tag "rails_admin/application.css", media: :all, data: {'turbo-track': 'reload'} %>
-    <%= javascript_include_tag "rails_admin/application.js", defer: true, data: {'turbo-track': 'reload'} %>
+    <%= stylesheet_link_tag "rails_admin/application.css", media: :all, data: {'turbo-track': 'reload'}, nonce: true %>
+    <%= javascript_include_tag "rails_admin/application.js", defer: true, data: {'turbo-track': 'reload'}, nonce: true %>
   <% end %>
 <% when :vite %>
-  <%= vite_javascript_tag "rails_admin", defer: true, data: {'turbo-track': 'reload'} %>
+  <%= vite_javascript_tag "rails_admin", defer: true, data: {'turbo-track': 'reload'}, nonce: true %>
 <% when :webpack %>
-  <%= stylesheet_link_tag "rails_admin.css", media: :all, data: {'turbo-track': 'reload'} %>
-  <%= javascript_include_tag "rails_admin.js", defer: true, data: {'turbo-track': 'reload'} %>
+  <%= stylesheet_link_tag "rails_admin.css", media: :all, data: {'turbo-track': 'reload'}, nonce: true %>
+  <%= javascript_include_tag "rails_admin.js", defer: true, data: {'turbo-track': 'reload'}, nonce: true %>
 <% when :importmap %>
-  <%= stylesheet_link_tag "rails_admin.css", media: :all, data: {'turbo-track': 'reload'} %>
+  <%= stylesheet_link_tag "rails_admin.css", media: :all, data: {'turbo-track': 'reload'}, nonce: true %>
   <%= javascript_inline_importmap_tag(RailsAdmin::Engine.importmap.to_json(resolver: self)) %>
   <%= javascript_importmap_module_preload_tags(RailsAdmin::Engine.importmap) %>
   <%= javascript_importmap_shim_nonce_configuration_tag if respond_to? :javascript_importmap_shim_nonce_configuration_tag %>
diff --git a/app/views/rails_admin/main/index.html.erb b/app/views/rails_admin/main/index.html.erb
index 54c32cab2..95da462c2 100644
--- a/app/views/rails_admin/main/index.html.erb
+++ b/app/views/rails_admin/main/index.html.erb
@@ -44,7 +44,7 @@
   <% end %>
 <% end %>
 
-<style>
+<style nonce="<%= content_security_policy_nonce %>">
   <% properties.select{ |p| p.column_width.present? }.each do |property| %>
     <%= "#list th.#{property.css_class} { width: #{property.column_width}px; min-width: #{property.column_width}px; }" %>
     <%= "#list td.#{property.css_class} { max-width: #{property.column_width}px;}" %>