Vendor TomSelect 2.4.3 β drop CDN dependency for CSP#2716
Open
mroderick wants to merge 1 commit into
Open
Conversation
jsDelivr script-src/style-src exceptions can now be dropped from CSP. - Static files in public/tom-select/ (outside Sprockets, immune to assets:clobber) β SassC chokes on CSS custom-property fallbacks - Init code extracted from application.js into admin-only file, uses DOMContentLoaded (jQuery 1.12.4 ready promise silently drops post-resolution callbacks from separate script tags) - All 4 admin views updated to reference /tom-select/ paths
mroderick
marked this pull request as ready for review
July 16, 2026 15:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
TomSelect is loaded from
cdn.jsdelivr.neton 4 admin pages, forcing ascript-src+style-srcCSP exception for an external CDN. Removing third-party dependencies simplifies the CSP configuration being planned.Solution
Vendor TomSelect 2.4.3 into
public/tom-select/as static files, outside the Sprockets-managedpublic/assets/directory. This makes them immune toassets:clobber.Had to put them outside Sprockets because SassC chokes on
max(var(--ts-pr-caret), .75rem)in the TomSelect CSS β it tries to parse custom-property fallbacks and throwsSassC::SyntaxError.Changes
application.js, loads only on admin pages/tom-select/paths/tom-select/paths/tom-select/paths/tom-select/pathsWhy not
$(function(){...})jQuery 1.12.4's
ready.promise().done(fn)silently drops callbacks registered after the DOM is already ready β even thoughjQuery.isReady=true, the deferred nullifies its callback list on resolution. This was invisible before because the init code was insideapplication.js(registered before DOM ready). As a separate script tag loaded afterapplication.js, the callbacks never fired. Fixed by using nativeDOMContentLoaded.Verification
All 110 admin RSpec examples pass, including the 2 TomSelect-specific feature specs.
CSP impact
After this PR,
cdn.jsdelivr.netcan be dropped from bothscript-srcandstyle-srcin the pending CSP config (PR to follow).