Took me a little longer than expected, but I think I've squashed the bugs with CSP. Pull down the latest source and it should be working for you. Here's a quick example to get you started:
First off - turn CSP on in Config/App.php
Code:
public $CSPEnabled = true;
Now refresh your page and you'll see lots of errors in your browser's console. If you have the debug toolbar on - you'll see even more. Please note that the toolbar is not compatible with CSP and should be turned off when you're tuning your CSP rules.
Assuming you have a simple little HTML page like this (which you wouldn't but we have to start somewhere):
Code:
<!doctype html>
<html>
<head>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
</head>
<body>
<style {csp-style-nonce}>
body { background: #efefef; }
</style>
</body>
</html>
You would need to add the following in your base controller, or wherever you want, to get things passing the CSP restrictions:
Code:
$this->response->CSP->setDefaultSrc('self');
$this->response->CSP->addStyleSrc('https://maxcdn.bootstrapcdn.com');
$this->response->CSP->addFontSrc('https://maxcdn.bootstrapcdn.com');
setDefaultSrc isn't really required for this, but will make things a little simpler for you in most cases.
addStyleSrc is required to allow the external Bootstrap stylesheet.
addFontSrc is required to allow Bootstrap to load its fonts.
Because the {csp-style-nonce} tag is in the style tag, a nonce will be automatically created for you and inserted into the header. With these rules, you'll end up with a generated header like:
Code:
Content-Security-Policy:connect-src 'self'; default-src 'self'; font-src https://maxcdn.bootstrapcdn.com; img-src 'self'; script-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com 'nonce-1cb22ae4b1a5c58a66415811';
Hope that helps!
Be sure to read the articles linked in the docs for more information. It can get a bit complex.