`content_security_policy_nonce` calls Rails method so CSP does not contain nonce

[jdudley1123]

Expected outcome

I am using GoodJob to process jobs on Rails 6. The GoodJob dashboard includes a number of scripts and styles. These all have nonces set using the content_security_policy_nonce method.

 <%= tag.script "", src: frontend_static_path(:bootstrap, format: :js, v: GoodJob::VERSION, locale: nil), nonce: content_security_policy_nonce %>

(link to code)

I would expect Secure Headers to set the nonce in the CSP header so that these scripts are permitted.

Actual outcome

No nonce is set in the CSP header. I think that Rails' own content_security_policy_nonce method is being called rather than the Secure Headers method of the same name. This means that the CSP set by Secure Headers doesn't include the nonce, and the scripts and styles are therefore not permitted.

I know that recommend practice when using Secure Headers is to use the nonced_javascript_tag method, but since this is in a gem I can't do that.

Possible related issues:

• Method conflicting content_security_policy_nonce with Rails 5.2 #392
• Avoid calling content_security_policy_nonce internally #389

Config

SecureHeaders::Configuration.default do |config|
  config.hsts = "max-age=#{1.year.to_i}; includeSubDomains; preload"
  config.x_frame_options = 'DENY'
  config.x_content_type_options = 'nosniff'
  config.x_xss_protection = '1; mode=block'
  config.x_download_options = 'noopen'
  config.x_permitted_cross_domain_policies = 'none'
  config.referrer_policy = %w[origin-when-cross-origin
                              strict-origin-when-cross-origin]
  config.csp = {
    default_src: %w['none'],
    script_src: %w['self' http://www.google-analytics.com],
    connect_src: %w['self'],
    frame_ancestors: %w['none'],
    font_src: %w['self' data: https://fonts.gstatic.com],
    img_src: %w['self' data: https://validator.swagger.io],
    style_src: %w['self' https://fonts.googleapis.com],
  }
end

Generated headers

default-src 'none'; connect-src 'self'; font-src 'self' data: fonts.gstatic.com; frame-ancestors 'none'; img-src 'self' data: validator.swagger.io; script-src 'self' www.google-analytics.com; style-src 'self' fonts.googleapis.com

[adeherdt-r7]

I am running into a similar problem.
We use something like this to inject nonce headers:

  def include_gon_jquery(opts={})
    opts.merge!(need_tag:false)

    init_gon = <<eos
    jQuery(function($){
      #{Gon::Base.render_data(opts)}
    })
eos

    nonced_javascript_tag init_gon
  end

And Firefox keeps reporting that this is being blocked because of the Content-Security-Policy.
This is our configuration:

  config.csp = {
    default_src:      %w('self'),
    img_src:          %w('self' data:),
    frame_src:        %w('self'),
    connect_src:      %w('self' https://mydomain.com),
    font_src:         %w('self'),
    media_src:        %w('self'),
    object_src:       %w('self'),
    style_src:        %w('self' 'unsafe-inline' 'inline'),
    script_src:       %w('self' 'unsafe-eval' 'eval' 'nonce'),
    script_src_elem:  %w('self' 'unsafe-eval' 'eval' 'nonce'),
  }

The core problem seems to be that the nonced_javascript_tag is not setting the correct nonce value inside the CSP header, as the browser doesn't have the value. Checking the source code however does reveal that the generated <script> tag contains the nonce value.

[adeherdt-r7]

I'd like to add that this issue was a Firefox problem for me, and actually caused by caching.
Wiping out the cache in Firefox and forcing a hard reload made it all work.