Welcome Guest, Not a member yet? Register   Sign In
CSP Issues with Debug Bar
#1

I have enabled CSP on one of my CI4 (latest 4.2.11) applications. I am adding allowed sources at runtime from my base controller using the approriate $this->response->CSP->{function}. I have also added nonces to all my inline scripts and styles using the csp_script_nonce() and csp_style_nonce() functions.
From my application point of view everything is working perfectly.
However, with environment set to development and the debug bar enabled I am getting lots of CSP blocking errors related to the debug bar. Whilst this isn't a problem for production where its turned off, it does make it more difficult to spot other CSP errors related to my code in my development environment as they get buried in the numerous debug bar CSP errors.
Does the debug bar function ok for anyone with CSP enabled? If so what allowance as you added to the CSP rules?
Thanks,
Luke
Reply
#2

It is known that some CSP settings can cause problems when the debug bar is displayed.

Without knowing the details, it is hard to say if it is a misconfiguration or a problem with the framework.

If you think it is a framework issue, feel free to report it on GitHub.
Reply
#3

(This post was last modified: 01-02-2023, 03:40 AM by ltarrant.)

I don't really have much experience with CSP so possibly its just an oversight on my part.
My usage in my CI4 application is pretty simple and limited.
CSP enabled in .env file and config file.
The following lines in the constructor of my Base Controller.

Code:
$this->response->CSP->setDefaultSrc('self');
$this->response->CSP->addFontSrc(['self', 'https://fonts.googleapis.com', 'https://fonts.gstatic.com']);
$this->response->CSP->addImageSrc(['self', 'data:']);
$this->response->CSP->addScriptSrc(['self']);

A few calls to
Code:
csp_script_nonce() 
to add nonces to some inline scripts in my views.

The CSP errors I am getting all relate to ?debugbar:46

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-???????????????????????'". Either the 'unsafe-inline' keyword, a hash , or a nonce is required to enable inline execution

Code:
toolbar.innerHTML = responseText;
Looking at the html output on the pages I can see nonces are in place for the script and style tags for the debugbar.

Luke
Reply




Theme © iAndrew 2016 - Forum software by © MyBB