Add missing nonced_stylesheet_pack_tag

paulfri · paulfri · commit ba575317780e · 2017-11-21T14:15:11.000-08:00
Equivalents were added in 1e81a0a. This also fixes a bug preventing passing any arguments to these tags. Tests were updated with a sample to reflect this.
diff --git a/docs/per_action_configuration.md b/docs/per_action_configuration.md
@@ -72,6 +72,8 @@ body {
 <%= nonced_javascript_pack_tag "pack.js" %>
 
 <%= nonced_stylesheet_link_tag "link.css" %>
+
+<%= nonced_stylesheet_pack_tag "pack.css" %>
 ```
 
 becomes:
@@ -136,4 +138,4 @@ end
 class SessionsController < ApplicationController
   after_action  :clear_browser_cache, only: :destroy
 end
-```
+```
diff --git a/lib/secure_headers/view_helper.rb b/lib/secure_headers/view_helper.rb
@@ -34,16 +34,24 @@ def nonced_javascript_tag(content_or_options = {}, &block)
     # Instructs secure_headers to append a nonce to script-src directive.
     #
     # Returns an html-safe script tag with the nonce attribute.
-    def nonced_javascript_include_tag(*args, &block)
-      javascript_include_tag(*args, nonce: content_security_policy_nonce(:script), &block)
+    def nonced_javascript_include_tag(*args, **kwargs, &block)
+      javascript_include_tag(*args, kwargs.merge(nonce: content_security_policy_nonce(:script)), &block)
     end
 
     # Public: create a script Webpacker pack tag using the content security policy nonce.
     # Instructs secure_headers to append a nonce to script-src directive.
     #
     # Returns an html-safe script tag with the nonce attribute.
-    def nonced_javascript_pack_tag(*args, &block)
-      javascript_pack_tag(*args, nonce: content_security_policy_nonce(:script), &block)
+    def nonced_javascript_pack_tag(*args, **kwargs, &block)
+      javascript_pack_tag(*args, kwargs.merge(nonce: content_security_policy_nonce(:script)), &block)
+    end
+
+    # Public: create a stylesheet Webpacker link tag using the content security policy nonce.
+    # Instructs secure_headers to append a nonce to style-src directive.
+    #
+    # Returns an html-safe link tag with the nonce attribute.
+    def nonced_stylesheet_pack_tag(*args, **kwargs, &block)
+      stylesheet_pack_tag(*args, kwargs.merge(nonce: content_security_policy_nonce(:style)), &block)
     end
 
     # Public: use the content security policy nonce for this request directly.
diff --git a/spec/lib/secure_headers/view_helpers_spec.rb b/spec/lib/secure_headers/view_helpers_spec.rb
@@ -41,10 +41,12 @@ def self.template
 
 <%= nonced_javascript_include_tag "include.js" %>
 
-<%= nonced_javascript_pack_tag "pack.js" %>
+<%= nonced_javascript_pack_tag "pack.js", defer: true %>
 
 <%= nonced_stylesheet_link_tag "link.css" %>
 
+<%= nonced_stylesheet_pack_tag "pack.css", media: :all %>
+
 TEMPLATE
   end
 
@@ -80,6 +82,8 @@ def stylesheet_link_tag(source, options = {})
     content_tag(:link, nil, options.merge(href: source, rel: "stylesheet", media: "screen"))
   end
 
+  alias_method :stylesheet_pack_tag, :stylesheet_link_tag
+
   def result
     super(binding)
   end
