stclairdaniel
commented
7 years ago Thanks for bringing this attention as well. We'll look into this and get back to you soon. Sorry for the delay.
Open spdawson opened 8 years ago
stclairdaniel
commented
7 years ago Thanks for bringing this attention as well. We'll look into this and get back to you soon. Sorry for the delay.
markoudev
commented
7 years ago The lastest release of the Rollbar gem 2.14.0 doesn't seem to fix this. Are there any plans on fixing this in the next release?
Using rollbar-2.14.0 and secure_headers-3.5.1.
stclairdaniel
commented
7 years ago Sorry for the delay. We expect to work on SecureHeaders and the Rollbar gem soon.
jcmuller
commented
7 years ago I found the issue, or at least for us: we have secure headers, but we don't use CSP. A fix that works for us is here: https://github.com/rollbar/rollbar-gem/pull/565
spdawson
commented
7 years ago An alternative workaround is to monkey patch Rollbar to kill the script tag nonces; add the following to e.g. config/initializers/rollbar.rb
# Monkey patch Rollbar to prevent it from adding script tag nonces
require 'rollbar/middleware/js'
class Rollbar::Middleware::Js
def append_nonce?
false
end
end
rokob
commented
7 years ago Related to #569
richardsondx
commented
3 years ago Still getting this error on: 'rails', '4.2.0' rollbar (3.1.1) secure_headers (6.3.0) ruby 2.3.0
[Rollbar] Rollbar.js could not be added because undefined method `to_a' for #<SecureHeaders::NoOpHeaderConfig:0x007fd1de550480>
Did you mean? to_yaml
to_s
to_param
to_h exception
I am seeing the following in my Rails production log, using v2.13.3
This is after upgrading
secure_headersfrom v3.4.1 to v3.5.0 --- thecurrent_cspmethod has been removed. Overall, I can't help feeling that thesecure_headersintegration in the Rollbar gem is just trying to be a little too clever. I would much prefer to see a configuration option to disable the use of script nonces, rather than the current attempt to "do the right thing" with respect to the prevailing CSP.