I don't really have much experience with CSP so possibly its just an oversight on my part.
My usage in my CI4 application is pretty simple and limited.
CSP enabled in .env file and config file.
The following lines in the constructor of my Base Controller.
Code:
$this->response->CSP->setDefaultSrc('self');
$this->response->CSP->addFontSrc(['self', 'https://fonts.googleapis.com', 'https://fonts.gstatic.com']);
$this->response->CSP->addImageSrc(['self', 'data:']);
$this->response->CSP->addScriptSrc(['self']);
A few calls to
to add nonces to some inline scripts in my views.
The CSP errors I am getting all relate to ?debugbar:46
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-???????????????????????'". Either the 'unsafe-inline' keyword, a hash , or a nonce is required to enable inline execution
Code:
toolbar.innerHTML = responseText;
Looking at the html output on the pages I can see nonces are in place for the script and style tags for the debugbar.
Luke