codeigniter4 / CodeIgniter4

Open Source PHP Framework (originally from EllisLab)
https://codeigniter.com/
MIT License
5.41k stars 1.9k forks source link

Bug: [DebugBar] Missing CSP nonce value #7473

Closed donpwinston closed 11 months ago

donpwinston commented 1 year ago

PHP Version

8.1

CodeIgniter4 Version

4.3.4

CodeIgniter4 Installation Method

Composer (as dependency to an existing project)

Which operating systems have you tested for this bug?

Linux

Which server did you use?

apache

Database

No response

What happened?

When the toolbar is turned, CSPEnables is true the nonce value appears to be missing in the javascript code below:

            var t = window.open();
                t && (t.document.open(), t.document.write(l.mktag("html") + l.mktag("head") + l.mktag("title") + "Kint (" + (new Date).toISOString() + ")" + l.mktag("/title") + l.mktag('meta charset="utf-8"') + l.mktag('script class="kint-rich-script" nonce="' + l.script.nonce + '"') + l.script.innerHTML + l.mktag("/script") + l.mktag('style class="kint-rich-style" nonce="' + l.style.nonce + '"') + l.style.innerHTML + l.mktag("/style") + l.mktag("/head") + l.mktag("body") + '<input class="kint-note-input" placeholder="Take some notes!"><div class="kint-rich">' + e.parentNode.outerHTML + "</div>" + l.mktag("/body")), t.document.close())

Steps to Reproduce

Turn CSPEnabled on, set CI_ENVIRONMENT to 'development'. Request a page generated by CI. Look at browser javascript console. An error stating missing nonce value will be displayed. In my case the browser is Safari.

Expected Output

No error in the Javascript console.

Anything else?

No response

kenjis commented 1 year ago

Thank you for reporting. What's the exact error message?

donpwinston commented 1 year ago

Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.

On Tuesday, May 2, 2023 at 08:13:15 AM EDT, kenjis ***@***.***> wrote:  

Thank you for reporting. What's the exact error message?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

kenjis commented 11 months ago

It seems there is no JavaScript code that was reported in the current version (4.4.x). If you still have this issue, please go to #8405 or create an new issue.