Content Security Policy not properly detected in Rails #651
Description
I currently have a content security policy setup in my application, however it is not detected by bullet (I am running v7.0.7 of bullet). In order to investigate I went ahead and put a breakpoint in the bullet loader and discovered the following:
➜ rails c
[21, 30] in ~/.rbenv/versions/3.2.1/lib/ruby/gems/3.2.0/gems/bullet-7.0.7/lib/bullet.rb
21| autoload :NotificationCollector, 'bullet/notification_collector'
22|
23| if defined?(Rails::Railtie)
24| class BulletRailtie < Rails::Railtie
25| initializer 'bullet.configure_rails_initialization' do |app|
=> 26| debugger
27| if defined?(ActionDispatch::ContentSecurityPolicy::Middleware) && Rails.application.config.content_security_policy
28| app.middleware.insert_before ActionDispatch::ContentSecurityPolicy::Middleware, Bullet::Rack
29| else
30| app.middleware.use Bullet::Rack
=>#0 block {|app=#<Kp20::Application>|} in <class:BulletRailtie> at ~/.rbenv/versions/3.2.1/lib/ruby/gems/3.2.0/gems/bullet-7.0.7/lib/bullet.rb:26
#1 [C] BasicObject#instance_exec at ~/.rbenv/versions/3.2.1/lib/ruby/gems/3.2.0/gems/railties-7.0.4.3/lib/rails/initializable.rb:32
# and 32 frames (use `bt' command for all frames)
(ruby) Rails.application.config.content_security_policy
nil
(rdbg) c # continue command
Loading development environment (Rails 7.0.4.3)
irb: warn: can't alias context from irb_context.
irb(main):001:0> Rails.application.config.content_security_policy
=>
#<ActionDispatch::ContentSecurityPolicy:0x000000010b5864c8
@directives=
{"default-src"=>["'self'", "https:"],
"font-src"=>["'self'", "https:"],
"img-src"=>["'self'", "https:", "data:"],
"object-src"=>["'none'"],
"script-src"=>["'self'", "https:"],
"style-src"=>["'self'", "https:"]}>
irb(main):002:0> based on this it looks like bullet is loading too early and is ill positioned to actually detect whether the CSP middleware is loaded. In order to try to fix I tried moving the bullet initializer before and after the CSP loader but to no avail.
If I modify the bullet code to always call app.middleware.insert_before ActionDispatch::ContentSecurityPolicy::Middleware, Bullet::Rack then everything works properly, which confirms the issue is the loader not being able to detect the CSP.