Content Security Policy (Setting nonce value) |
I'm using {csp-script-nonce} and {csp-style-nonce} in my script and style tags. But the Content-Security-Policy header does not appear to be set. Also the nonce has a different value each time I use it on a page. Shouldn't they all be the same and just different for script and style? The header value indicating the nonce values are only set once.
I'm not understanding something. How do I tell CodeIgniter to set the nonce values in the header? in .env I've got the following: app.CSPEnabled = true contentsecuritypolicy.defaultSrc = 'self' contentsecuritypolicy.scriptSrc = '?' contentsecuritypolicy.styleSrc = '?' contentsecuritypolicy.imageSrc = 'self'
Simpler is always better
11-25-2021, 06:22 PM
(This post was last modified: 11-25-2021, 06:25 PM by donpwinston. Edit Reason: spelling )
When you turn content security policy on in .env via "app.CSPEnabled = true" a nonce is created for every inline css and javascript for the debug bar but NOT for the kint inline script and inline styles. I can see the {csp-style-nonce} text in the welcome page view file. The welcome page has styles and scripts with no nonce. My browser complains about these but doesn't complain about the kint js and css. Why?
How is the browser told what the nonce values should be? There are several. More than one for styles and more than one for scripts. If I use the CI feature {csp-style-nonce} and {csp-script-nonce} don't I also have to tell the browser about it in a Content-Security_Policy header? How do I do that for each nonce?
Simpler is always better
(11-25-2021, 06:22 PM)donpwinston Wrote: When you turn content security policy on in .env via "app.CSPEnabled = true" a nonce is created for every inline css and javascript for the debug bar but NOT for the kint inline script and inline styles. I can see the {csp-style-nonce} text in the welcome page view file. The welcome page has styles and scripts with no nonce. My browser complains about these but doesn't complain about the kint js and css. Why? I've got this working. CI updates the header for you with the nonce values. Just edit app\Config\ContentSecurityPolicy.php and use an array to set scriptSrc, styleSrc, .... The nonce values will be dynamically added to these arrays for each page and page refresh. Don't forget to set app.CSPEnable = true in the .env file. Do not set the following: # contentsecuritypolicy.defaultSrc = 'none' # contentsecuritypolicy.scriptSrc = 'self' # contentsecuritypolicy.styleSrc = 'self' # contentsecuritypolicy.imageSrc = 'self' If you use these they will get blown away when CI adds the nonce values.
Simpler is always better
The in-progress user guide
https://codeigniter4.github.io/CodeIgnit...ity-policy If you have any improvement to the docs, Pull Request is welcome. https://github.com/codeigniter4/CodeIgni...sponse.rst https://github.com/codeigniter4/CodeIgni...ing#readme |
Welcome Guest, Not a member yet? Register Sign In |