Welcome Guest, Not a member yet? Register   Sign In
Content Security Policy with config autoNonce = false;
#1

With
PHP Code:
public $autoNonce false

Browser console don't report anymore error, for example this should report errors

PHP Code:
<script>some js code</script>

<
div style="width:10rem"></div

I've tested in developpement or production and with or without the toolbar.

Note that the toolbar show nonce tags in head.

With $autononce to true CSP generate errors for the toolbar and inline style and script.

CI is version 4.2.6

This is my CSP configuration

PHP Code:
<?php

namespace Config;

use 
CodeIgniter\Config\BaseConfig;

/**
 * Stores the default settings for the ContentSecurityPolicy, if you
 * choose to use it. The values here will be read in and set as defaults
 * for the site. If needed, they can be overridden on a page-by-page basis.
 *
 * Suggested reference for explanations:
 *
 * @see https://www.html5rocks.com/en/tutorials/security/content-security-policy/
 */
class ContentSecurityPolicy extends BaseConfig
{
    // -------------------------------------------------------------------------
    // Broadbrush CSP management
    // -------------------------------------------------------------------------

    /**
    * Default CSP report context
    *
    * @var bool
    */
    public $reportOnly false// default false

    /**
    * Specifies a URL where a browser will send reports
    * when a content security policy is violated.
    *
    * @var string|null
    */
    public $reportURI;

    /**
    * Instructs user agents to rewrite URL schemes, changing
    * HTTP to HTTPS. This directive is for websites with
    * large numbers of old URLs that need to be rewritten.
    *
    * @var bool
    */
    public $upgradeInsecureRequests false;

    // -------------------------------------------------------------------------
    // Sources allowed
    // Note: once you set a policy to 'none', it cannot be further restricted
    // -------------------------------------------------------------------------

    /**
    * Will default to self if not overridden
    *
    * @var string|string[]|null
    */
    public $defaultSrc;

    /**
    * Lists allowed scripts' URLs.
    *
    * @var string|string[]
    */
    public $scriptSrc = ['self''https://www.youtube.com/']; // default self

    /**
    * Lists allowed stylesheets' URLs.
    *
    * @var string|string[]
    */
    public $styleSrc = ['self''https://fonts.googleapis.com/']; // default self

    /**
    * Defines the origins from which images can be loaded.
    *
    * @var string|string[]
    */
    public $imageSrc = ['self''https://img.youtube.com/''data:']; // default self

    /**
    * Restricts the URLs that can appear in a page's `<base>` element.
    *
    * Will default to self if not overridden
    *
    * @var string|string[]|null
    */
    public $baseURI;

    /**
    * Lists the URLs for workers and embedded frame contents
    *
    * @var string|string[]
    */
    public $childSrc = ['self''https://www.youtube.com/']; // default self

    /**
    * Limits the origins that you can connect to (via XHR,
    * WebSockets, and EventSource).
    *
    * @var string|string[]
    */
    public $connectSrc 'self';

    /**
    * Specifies the origins that can serve web fonts.
    *
    * @var string|string[]
    */
    public $fontSrc = ['self''https://fonts.gstatic.com']; // default empty

    /**
    * Lists valid endpoints for submission from `<form>` tags.
    *
    * @var string|string[]
    */
    public $formAction 'self';

    /**
    * Specifies the sources that can embed the current page.
    * This directive applies to `<frame>`, `<iframe>`, `<embed>`,
    * and `<applet>` tags. This directive can't be used in
    * `<meta>` tags and applies only to non-HTML resources.
    *
    * @var string|string[]|null
    */
    public $frameAncestors// default empty

    /**
    * The frame-src directive restricts the URLs which may
    * be loaded into nested browsing contexts.
    *
    * @var array|string|null
    */
    public $frameSrc;

    /**
    * Restricts the origins allowed to deliver video and audio.
    *
    * @var string|string[]|null
    */
    public $mediaSrc = ['self''blob:']; // default empty

    /**
    * Allows control over Flash and other plugins.
    *
    * @var string|string[]
    */
    public $objectSrc 'self';

    /**
    * @var string|string[]|null
    */
    public $manifestSrc;

    /**
    * Limits the kinds of plugins a page may invoke.
    *
    * @var string|string[]|null
    */
    public $pluginTypes;

    /**
    * List of actions allowed.
    *
    * @var string|string[]|null
    */
    public $sandbox;

    /**
    * Nonce tag for style
    *
    * @var string
    */
    public $styleNonceTag '{csp-style-nonce}';

    /**
    * Nonce tag for script
    *
    * @var string
    */
    public $scriptNonceTag '{csp-script-nonce}';

    /**
    * Replace nonce tag automatically
    *
    * @var bool
    */
    public $autoNonce false// true;


Is anyone experiencing the same behavior ? My intention is to remove all inline script and style and not use any nonceTag
Reply
#2

This is a bug. Please wait for the fix.
Reply
#3

Thank you for your feedback.
Reply
#4

I sent a PR to fix.
https://github.com/codeigniter4/CodeIgniter4/pull/6570
Reply
#5

(This post was last modified: 09-24-2022, 12:51 PM by eelisland.)

Hi,
Thanks for the PR, will take a look asap

edit: PR fixed my issue, thank you
Reply




Theme © iAndrew 2016 - Forum software by © MyBB