search

nette / tracy

😎 Tracy: the addictive tool to ease debugging PHP code for cool developers. Friendly design, logging, profiler, advanced features like debugging AJAX calls or CLI support. You will love it.
https://tracy.nette.org
Other
1.75k stars 218 forks source link

Debug bar broken when using CSP #582

Closed KminekMatej closed 1 month ago

KminekMatej commented 1 month ago

Version: 2.10.7

Bug Description

Debug bar is broken when specifying CSP rules in config.neon. Probable cause is by loading <style class="tracy-debug">, which CSP effectively blocks, due to style-src: [nonce, *, unsafe-inline] There is an insight in console: Content-Security-Policy: Nastavení stránky zablokovalo načítání zdroje na inline („style-src“). obrazek

Steps To Reproduce

Add to config file:

http:
    csp:
        default-src: [self]
        font-src: [self, https://fonts.gstatic.com, https://fonts.googleapis.com]
        script-src: [nonce, strict-dynamic, *, unsafe-inline]
        style-src: [nonce, *, unsafe-inline]
        frame-ancestors: [https://*.domain.ltd, http://localhost:3000]
        frame-src: [https://www.googletagmanager.com]
        report-uri: https://domain.ltd/security/csp/report

Expected Behavior

Bar dumps should look all the same as when CSP is not used

Possible Solution

<style class="tracy-debug"> must contain nonce when its configured in CSP. However Im not sure how to propagate CSP setting from config file into phtml templates - thats why I cannot attach pull request along this issue

dg commented 1 month ago

Tracy does not support CSP style-src, as stated in the documentation https://github.com/nette/tracy?tab=readme-ov-file#content-security-policy.

The thing is, one aspect is Tracy's support, but all user panels, which often use custom styles, would also need to start supporting it. Besides, I don't see much useful benefit in using style-src.