Walkthrough

Threads an optional CSP nonce from Rails through the Node RSC renderer into injected/preloaded RSC payload scripts and client-side console-replay scripts; nonce values are sanitized before being assigned to generated <script> elements. Tests and a Rails helper were added to surface and verify the nonce.

Changes

Sequence Diagram(s)

sequenceDiagram
    participant Rails as Rails Server
    participant Node as Node Renderer
    participant Client as Browser Client

    Rails->>Rails: extract csp_nonce
    Rails->>Node: railsContext { ..., cspNonce }
    Node->>Node: createFromFetch / createFromPreloadedPayloads(..., cspNonce)
    Node->>Node: injectRSCPayload(stream, tracker, domNodeId, cspNonce)
    Node->>Client: send HTML + inline RSC payload scripts (nonce attr)
    Client->>Client: transformRSCStreamAndReplayConsoleLogs(stream, cspNonce)
    Client->>Client: sanitizeNonce(cspNonce)
    Client->>Client: create replay <script nonce="..."> and append -> executes

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐇 I carried a nonce from Rails to the stream,

tucked it in scripts like a safe little gleam.
I nibbled the danger, stripped quotes and surprise,
now replay scripts hop and run beneath clear skies. 🥕✨

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Greptile Summary

This PR propagates CSP (Content Security Policy) nonce values through the React on Rails Pro RSC streaming and console replay paths, ensuring that dynamically injected <script> tags include the correct nonce attribute required by strict CSP policies.

• Adds cspNonce to the rails_context hash (Ruby) and RailsContext type (TypeScript) so the nonce is available throughout both server-side and client-side rendering flows
• Threads the nonce through server-side HTML stream injection (injectRSCPayload) and client-side console replay script insertion (transformRSCStreamAndReplayConsoleLogs)
• Sanitizes nonce values with a character allowlist before inserting into script tags, preventing attribute injection attacks
• Adds regression tests for nonce injection and sanitization in both RSC payload and console replay paths
• Note: The PR description states this is untested locally due to environment constraints (Ruby 2.6.10, no pnpm). CI verification is important before merging.
• Minor concern: The nonce sanitization regex is duplicated across two files — extracting it to a shared utility would improve maintainability

Confidence Score: 4/5

• This PR is safe to merge after CI passes — it adds CSP nonce support through well-understood plumbing patterns with appropriate sanitization.
• The changes are straightforward parameter threading with proper sanitization. The nonce allowlist regex is correct for base64-encoded CSP nonces. The only concern is the duplicated sanitization logic and that the author could not run tests locally, making CI verification essential.
• Pay attention to injectRSCPayload.ts and transformRSCStreamAndReplayConsoleLogs.ts — these contain the duplicated sanitization logic and are the security-sensitive files where nonces are applied to script tags.

Important Files Changed

Flowchart

flowchart TD
    A["Rails helper.rb\n(rails_context)"] -->|"cspNonce"| B["RailsContext type\n(types/index.ts)"]
    B -->|"Server-side path"| C["streamServerRenderedReactComponent"]
    C -->|"railsContext.cspNonce"| D["injectRSCPayload"]
    D -->|"nonceAttribute(cspNonce)"| E["Script tags with nonce\n(RSC payload injection)"]
    B -->|"Client-side path"| F["getReactServerComponent.client"]
    F -->|"railsContext.cspNonce"| G["transformRSCStreamAndReplayConsoleLogs"]
    G -->|"sanitizeNonce(cspNonce)"| H["Script elements with nonce\n(console replay)"]

_{Last reviewed commit: fe948e6}

size-limit report 📦

PR Review: CSP nonce support for RSC streaming. The approach is solid overall -- threading cspNonce through Rails context into both server-side HTML stream injection and client-side console replay is the right pattern. The Ruby side is clean; csp_nonce is already well-guarded by the existing respond_to? check and Rails version fallback at helper.rb:493. See inline comments for specific issues found.

Code Review

Overall this is a solid, well-structured addition. CSP nonce support threads cleanly through both the Ruby and TypeScript layers, the sanitization logic is sound, and the defence-in-depth approach (strip + format-validate) is the right pattern for nonces. A few items worth addressing before merge are noted below with inline comments.

Summary of findings

Correctness

• The two-step sanitization (replace then match) is correct and consistent between RenderUtils.ts and the new sanitizeNonce utility. The regex edge cases (mid-string =, empty input, all-padding input) all behave properly.
• add_csp_nonce_to_context safely delegates to the pre-existing csp_nonce helper which already guards against missing content_security_policy_nonce via respond_to?.

Test gaps

• injectRSCPayload.test.ts only covers the rejection path (malicious nonce → no attribute emitted). There is no test asserting that a valid nonce is correctly written into the injected <script> tags. This is the most important coverage gap.
• transformRSCStreamAndReplayConsoleLogs.test.ts uses getAttribute('nonce') to verify the value. JSDOM reflects IDL-set nonces back through getAttribute, but real browsers hide nonces from attribute inspection as a security measure. The assertion will pass in tests but the approach is JSDOM-specific — consider using script.nonce instead.

Performance / design

• nonceAttribute() calls sanitizeNonce() on every chunk/script-tag creation inside the streaming path. The nonce never changes within a single stream; computing it once outside the per-chunk functions would be cleaner.
• The exact sanitization logic is duplicated between packages/react-on-rails/src/RenderUtils.ts and packages/react-on-rails-pro/src/utils.ts. This is expected across package boundaries, but there is no cross-reference comment, creating a small future-divergence risk.

Minor

• The test plan explicitly says "UNTESTED in this environment" — please confirm CI passes before merging, especially the Ruby specs which exercise the new add_csp_nonce_to_context path.

test comment - please ignore (deleted)