Bug: {csp-style-nonce} Doesn't Work

codeigniter4 / CodeIgniter4

Open Source PHP Framework (originally from EllisLab)

https://codeigniter.com/

MIT License

5.4k stars 1.9k forks source link

Bug: {csp-style-nonce} Doesn't Work #6981

Closed donpwinston closed 1 year ago

donpwinston commented 1 year ago

PHP Version

8.1

CodeIgniter4 Version

4.2.10

CodeIgniter4 Installation Method

Composer (using codeigniter4/appstarter)

Which operating systems have you tested for this bug?

Linux

Which server did you use?

apache

Database

none

What happened?

{csp-style-nonce} is not getting resolved when my view is processed. I have to use <?= csp_style_nonce() ?> to get it to work. ($autoNonce = true in app/Config/ContentSecurityPolicy.php). NOTE: {csp-script-nonce} also does not work.

Steps to Reproduce

Turn CSP on. Create a view with a style tag, i.e., <style {csp-style-nonce}>...</style>

Expected Output

Anything else?

No response

kenjis commented 1 year ago

Not {css-style-nonce}, but {csp-style-nonce}.

donpwinston commented 1 year ago

Typo. {csp-style-nonce} doesn't work either. {csp-script-nonce} also does not work.

On Thursday, December 15, 2022 at 04:36:59 AM EST, kenjis ***@***.***> wrote:

Not {css-style-nonce}, but {csp-style-nonce}.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

kenjis commented 1 year ago

Cannot reproduce it.

diff --git a/app/Config/App.php b/app/Config/App.php
index 79e5741..7b56cf6 100644
--- a/app/Config/App.php
+++ b/app/Config/App.php
@@ -462,5 +462,5 @@ class App extends BaseConfig
      *
      * @var bool
      */
-    public $CSPEnabled = false;
+    public $CSPEnabled = true;
 }
diff --git a/app/Controllers/Home.php b/app/Controllers/Home.php
index 7f867e9..4cc76d0 100644
--- a/app/Controllers/Home.php
+++ b/app/Controllers/Home.php
@@ -6,6 +6,6 @@ class Home extends BaseController
 {
     public function index()
     {
-        return view('welcome_message');
+        return '<style {csp-style-nonce}>...</style>';
     }
 }

I can see <style nonce="9ada8f523ef9afdc5593b739">...</style> in the response.

donpwinston commented 1 year ago

Must be something gummed up with my config settings. I'm using app.CSPEnabled = true in .env if that matters. I'll mess around with it some more. Also the views are in app/Views/errors/html too. I don't know why that would matter.

donpwinston commented 1 year ago

Well, it's working now. I had another problem with ini_set() and "headers already have been set.." errors at the same time as this problem because of a typo. Maybe that caused everything to shut down. I've since fixed that and the nonce stuff now works.

kenjis commented 1 year ago

We use GitHub issues to track BUGS and to track approved DEVELOPMENT work packages. We use our forum to provide SUPPORT and to discuss FEATURE REQUESTS.