search

codeigniter4 / CodeIgniter4

Open Source PHP Framework (originally from EllisLab)
https://codeigniter.com/
MIT License
5.38k stars 1.9k forks source link

CSP + DebugBar #1165

Closed nowackipawel closed 5 years ago

nowackipawel commented 6 years ago

Hi there, I'm not an CSP expert. I configured CSP with self and required domains (for script style and fonts) and everything was gr8 until DebugToolbar was turned on . Even if all of toolbar's tabs seams to work ok... there are errors in console:

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”). Source: onclick attribute on A element. [only once] Content Security Policy: The page’s settings blocked the loading of a resource at self (“style-src”). [repated when tab is changed] Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”). [repated when tab is changed]

[nginx/php7.2/debian + ff / iridium]

... actually iridium (chrome) gave me more details: ?debugbar:49 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' https://maxcdn.bootstrapcdn.com/ https://use.fontawesome.com/ 'nonce-fd68498a9d2a9ea28cd45f26'". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

xhttp.onreadystatechange @ ?debugbar:49

I think problem is not with first html code which is generated by DebugToolbar but when it tried to apply additional scripts/styles.

lonnieezell commented 6 years ago

Are you using the latest version of the develop branch? I remember a patch came through not very long ago that set {csp_nonce} in the html for the toolbar which should have fixed that error.

nowackipawel commented 6 years ago

Unfortunately my version of /system/Debug/Toolbar/toolbarloader.js.php and /application/Filters/DebugToolbar.php are the same as here :(.

puschie286 commented 6 years ago

your errors are "normal" and can be ignored because they doesnt effect your site at all. the latest toolbar changes should only allow use with csp protection enabled and development environment.

jim-parry commented 5 years ago

Kint issue? out-of-scope for us? No further info in 3 months.

crustamet commented 1 year ago

I don`t know about you guys but I just created a new Codeigniter 4 project with the latest updates on PHP 8.1.2 And this problem still persist when I use development environment with the debugbar {csp-style-nonce} just not replacing in development mode or if it does replace it replace with empty.

image image

crustamet commented 1 year ago

I guess is hard to make a js file that does not use scripts inline and include them