Closed marcoczen closed 2 months ago
jnvsor
commented
2 months ago You want RichRenderer::$js_nonce and RichRenderer::$css_nonce. I'm considering moving them to AbstractRenderer in the next major version.
Due to the way kint works nonce-based CSP is all we can do, but you could take the JS And CSS from the resources/compiled/ folder if you wanted to serve them yourself
marcoczen
commented
2 months ago HI jnvsor,
Due to the way kint works nonce-based CSP is all we can do,
I understand.
You want RichRenderer::$js_nonce and RichRenderer::$css_nonce.
Hehehe... I am too dumb to understand how to get that or to put that into my page headers via php programmatically.
I'm considering moving them to AbstractRenderer in the next major version.
Noted.
Thanks.
p.s - One of the GREAT thing about kint is that its just one phar file and boom - magic happens ! I have used kint since v3 ... just blown away by it ..... Thanks once again
jnvsor
commented
2 months ago You simply set Kint\Renderer\RichRenderer::$js_nonce to whatever your csp nonce is - the csp nonce is set in script-src. You can have multiple script-src values too, consider using a generator if it gets complicated.
So for instance if you set your CSP script-src to 'self' 'nonce-IAMSUPPOSEDTOBERANDOM' and Kint\Renderer\RichRenderer::$js_nonce = "IAMSUPPOSEDTOBERANDOM"; it should work (And the same for style if you're using it of course)
marcoczen
commented
2 months ago Hi. I will test and revert . Thanks.
marcoczen
commented
2 months ago Update - The steps above were rejected by the Chrome Browser. ( I did something wrong ? ) . Kint output was just plain black text. No white background etc.
Instaed the browser console suggested two hashes - which I added into script-src and style-src .
All Good now !!!
No need for unsafe-inline anymore.
Thanks !!!
Guys,
Any way we can make Kint play nice with
CSP? Currently when I am using Kint, I add 'unsafe-inline' to myscript-src,style-src.Pls do consider.
p.s. Kint - Best php debugger ever !!!!