Comments (3)
I had adjusted the config/content_security_policy.rb
and disallowed inline script tags. I had to adjust the enable them in development.
Here's more or less what I ended up with in case anybody else ends up in this same place since it's actually a recommended step when setting up webpacker and vue with rails.
Rails.application.config.content_security_policy do |policy|
if Rails.env.development?
policy.script_src :self, :https, :unsafe_eval, :unsafe_inline
else
policy.script_src :self, :https
end
end
from graphiql-rails.
I'm investigating addressing the root cause of needing 'unsafe-eval'
in the CSP, but I want to share an alternative workaround for the time being:
if defined?(GraphiQL::Rails)
# While the gem is loaded up front, its controller is autoloaded.
# Therefore we must ensure our patch runs after loading, every time.
Rails.autoloaders.main.on_load("GraphiQL::Rails::EditorsController") do
GraphiQL::Rails::EditorsController.content_security_policy do |policy|
policy.script_src(*policy.script_src, :unsafe_eval)
end
end
end
Rather than add 'unsafe-eval'
to the entire host app's CSP, this only adds it to the relevant controller.
If for some reason it is impossible to address the unsafely eval'ing JS in GraphiQL itself (e.g. new Function("return this;")
), then we can update this gem to do the controller level CSP change itself, but ideally we'll fix it upstream.
from graphiql-rails.
Thank you @jejacks0n
from graphiql-rails.
Related Issues (20)
- der
- Graphql query execute is getting freeze from model callbacks HOT 1
- Build issue when bumping graphiql-rails from 1.8.0 to 1.9.0 HOT 7
- doesn't work with propshaft HOT 2
- Using themes/custom CSS
- uninitialized constant GraphiQL (NameError) HOT 1
- Add Basic Auth option HOT 1
- AbstractController::ActionNotFound (The action 'execute' could not be found for GraphqlController): HOT 1
- AssetNotPrecompiled error with Sprockets 4.0 HOT 27
- How to use this gem with graphql subscription? HOT 1
- default context variables HOT 1
- GraphiQL::Rails::EditorsController#show raising on new Rails 6 app HOT 3
- Question about request header configuration with initializer HOT 1
- Using GraphiQL in your Rails app without this gem HOT 7
- uninitialized constant GraphqlController::GraphQLIntroSchema Did you mean? GraphQlIntroSchema HOT 1
- Is this gem dead? HOT 1
- Support for subscriptions HOT 3
- headerEditorEnabled config HOT 1
- sass not needed anymore? HOT 2
- Your application has sessions disabled HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from graphiql-rails.