Closed fritzmg closed 8 months ago
Consider the following example:
$csp = new CSPBuilder(); $csp->setSelfAllowed('default-src', true); $nonce = $csp->getNonce('script-src'); $csp->sendCSPHeader(false); echo '<script nonce="'.$nonce.'">…</script>';
This will send:
Content-Security-Policy: default-src 'self';
<script nonce="">…</script>
Due to the default-src 'self' CSP the <script> will not be executed since there is no nonce.
default-src 'self'
<script>
This PR would also check for a default-src policy so that the response will be:
default-src
Content-Security-Policy: default-src 'self'; script-src 'nonce-cFYyNld/10nnE2MH59DvbkuL';
<script nonce="cFYyNld/10nnE2MH59DvbkuL">…</script>
@paragonie-security reminder for review
Consider the following example:
This will send:
Due to the
default-src 'self'
CSP the<script>
will not be executed since there is no nonce.This PR would also check for a
default-src
policy so that the response will be: