Update CSS CSP to avoid inline styling, add CSS links to head

Author: mperham

examples/webui-ext/web/views/redis_info.erb

@@ -1,4 +1,4 @@
-<%= style_tag "redis_info/css/ext.css" %>
+<% style_tag "redis_info/css/ext.css" %>
 
 <div class="header-container">
   <h1><%= t('Redis') %></h1>

lib/sidekiq/web.rb

@@ -86,7 +86,7 @@ def self.reset!
 
     def call(env)
       env[:web_config] = Sidekiq::Web.configure
-      env[:csp_nonce] = SecureRandom.base64(16)
+      env[:csp_nonce] = SecureRandom.hex(8)
       env[:redis_pool] = self.class.redis_pool
       app.call(env)
     end

lib/sidekiq/web/application.rb

@@ -23,7 +23,7 @@ class Application
         "media-src 'self'",
         "object-src 'none'",
         "script-src 'self' 'nonce-!placeholder!'",
-        "style-src 'self' https: http: 'unsafe-inline'", # TODO Nonce in 8.0
+        "style-src 'self' 'nonce-!placeholder!'",
         "worker-src 'self'",
         "base-uri 'self'"
       ].join("; ").freeze

lib/sidekiq/web/helpers.rb

@@ -18,7 +18,9 @@ def style_tag(location, **kwargs)
         nonce: csp_nonce,
         href: location
       }
-      html_tag(:link, attrs.merge(kwargs))
+      add_to_head do
+        html_tag(:link, attrs.merge(kwargs))
+      end
     end
 
     def script_tag(location, **kwargs)

web/views/_poll_link.erb

@@ -1,4 +1,4 @@
 <% if pollable? %>
     <a class="live-poll-start live-poll btn btn-primary"><%= t('LivePoll') %></a>
-    <a class="live-poll-stop live-poll btn btn-primary active"><%= t('StopPolling') %></a>
+    <a class="live-poll-stop live-poll btn btn-primary active" style="display: none"><%= t('StopPolling') %></a>
 <% end %>