ddevsr
commented
2 years ago What all config CSP you use?
Closed Kimotu closed 2 years ago
ddevsr
commented
2 years ago What all config CSP you use?
Kimotu
commented
2 years ago What do you mean? I use default CI4 CSP policy which default to 'self' for most things. There is no unsafe-inline active. I added CDN urls via $this->response->CSP->addXXXSrc as exception and created hashes for inline-styles. Nothing complains, except this safe_mailto() script.
kenjis
commented
2 years ago Thank you for reporting.
I sent a PR #6604 Please try it if you can.
Kimotu
commented
2 years ago Thanks, now it works 👍
Maybe you want to check your test script. The regex is <xscript, but shouldn't it be <script ?
Little annotation: https://validator.w3.org/nu/ complaints about <script type="text/javascript"> because 'The “type” attribute is unnecessary for JavaScript resources.' Just for the case you want to create 100% w3 valid output.
kenjis
commented
2 years ago @Kimotu Thank you for testing. Yes, the commit was wrong. I fixed.
kenjis
commented
2 years ago Little annotation: https://validator.w3.org/nu/ complaints about Githubissues.
Githubissues is a development platform for aggregating issues.
PHP Version
7.3, 7.4, 8.0, 8.1
CodeIgniter4 Version
4.2.6
CodeIgniter4 Installation Method
Git
Which operating systems have you tested for this bug?
macOS, Windows, Linux
Which server did you use?
fpm-fcgi
Database
No response
What happened?
Browser refused to load/run safe_mailto() function from url_helper, no mail address is shown. The mail address is javascript encoded, but the inline script does not add a nonce when app.CSPEnabled = true
Steps to Reproduce
enable CSP (e.g.
app.CSPEnabled = true)insert
<?= safe_mailto('john.doe@inter.net','John Doe'); ?>into your view, check output for missing address and debug console for csp errors.Expected Output
Visible mail link which loads mail client, no CSP error in debug console.
Anything else?
I think this issue may concern all helpers/functions that insert inline javascript. I actually did not search for them. The workaround is pretty easy. Just add {csp-script-nonce} to script tag. That's the way I fixed it, but breaks updates via git, since my chances get overwritten.