d49e7ce4f5
unsafe-inline on script-src neutered CSP as an XSS defense on the login and OAuth consent pages (the highest-value targets in an IdP). Switch to a per-response nonce for both script-src and style-src and drop unsafe-inline entirely. - Add a random per-response nonce generator and apply it to script-src/style-src. - Remove :unsafe_inline from both directives. - Nonce the one hand-written inline script (dark-mode detection in the layout). - Convert the 2 static style="display:none" attributes to class="hidden" (their runtime toggle is done via element.style in JS, which CSP does not govern). importmap-rails (2.2.3) already stamps the nonce onto its generated inline importmap/module/preload tags, and Turbo (2.0.23) reads csp_meta_tag for its injected <style>, so no other view changes were needed. Adds an integration test asserting the enforcing header carries nonces, omits unsafe-inline, and that the inline script's nonce matches the header. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
3.7 KiB
3.7 KiB