Content Security Policy issue about graphiql-rails HOT 3 CLOSED

I had adjusted the config/content_security_policy.rb and disallowed inline script tags. I had to adjust the enable them in development.

Here's more or less what I ended up with in case anybody else ends up in this same place since it's actually a recommended step when setting up webpacker and vue with rails.

Rails.application.config.content_security_policy do |policy|
  if Rails.env.development?
    policy.script_src :self, :https, :unsafe_eval, :unsafe_inline
  else
    policy.script_src :self, :https
  end
end

from graphiql-rails.

I'm investigating addressing the root cause of needing 'unsafe-eval' in the CSP, but I want to share an alternative workaround for the time being:

if defined?(GraphiQL::Rails)
  # While the gem is loaded up front, its controller is autoloaded.
  # Therefore we must ensure our patch runs after loading, every time.
  Rails.autoloaders.main.on_load("GraphiQL::Rails::EditorsController") do
    GraphiQL::Rails::EditorsController.content_security_policy do |policy|
      policy.script_src(*policy.script_src, :unsafe_eval)
    end
  end
end

Rather than add 'unsafe-eval' to the entire host app's CSP, this only adds it to the relevant controller.

If for some reason it is impossible to address the unsafely eval'ing JS in GraphiQL itself (e.g. new Function("return this;")), then we can update this gem to do the controller level CSP change itself, but ideally we'll fix it upstream.

from graphiql-rails.

Thank you @jejacks0n

from graphiql-rails.