Noncense? |
02-25-2023, 05:47 AM
(This post was last modified: 01-21-2024, 11:53 AM by Gary. Edit Reason: [ Still applicable to v4.4.4 ] )
Is this a bug in v4.3.1... or am I talking nonsense? [ Still applicable to v4.4.4 ]
When .env is set as follows: Code: #-------------------------------------------------------------------- Everything with regards to Nonce insertions is as I'd expect... (well, at least as far as I've tested). However, with .env set as: Code: #-------------------------------------------------------------------- It appear that Nonces are ALWAYS inserted into the CSP header (if CSP is enabled using: $CSPEnabled = true; ) when in the CI_ENVIRONMENT is set to development... regardless of whether they've been "requested" (or not) using: Code: public bool $autoNonce = true / false; Which results in warnings and errors like these when one is working on the code (and the particular pieces in the webpage obviously don't work): Code: 14:27:45.765 Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified Yes, I understand that Nonces can be inserted manually... so the $autoNonce may(?) ALSO apply to this use-case (and be necessary for insertion into the main CSP header still if it were being used with manual insertion... or not(?)), regardless of this... the fact that there is (unexpected) distinctly different behaviour between production and development is what makes me consider this as possibly being a bug. If $autoNonce is indeed necessary for the manual insertion functions to work (so as to have the nonce automatically injected into the CSP header), it would seem likely that an additional setting is required somewhere... something like an $enableNonce, that enables or disables the CSP header insertion... which then could be used automatically (with $autoNonce) or manually via the CI nonce-insertion commands (?). ... or is this just complete and utter noncense? As an aside, I see that the "content-security-policy-report-only:" header is ALWAYS set (even if it's empty)... which, possibly isn't an "error", however this causes some browsers to flag it as a warning every time the page is loaded: Code: 14:27:45.765 Content Security Policy: This site (https://pig.pen) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy. Offhand, I'm not sure of what the RFC calls for, but it would seem more sensible (to this Ignorant at least) to NOT include this header if it was empty (?). And whilst we're about it... without having looked at it in detail... it would appear that this line (445) in ResponseTrait.php should possibly reference the variables that give the specified names of {csp-style-nonce} and {csp-script-nonce} (in ContentSecurityPolicy.php), rather than the respective (hard-coded) text (?): Code: $this->body = str_replace(['{csp-style-nonce}', '{csp-script-nonce}'], '', $this->body ?? '');
When you set CI_ENVIRONMENT = development, debug toolbar uses Kint and Kint outputs script tags.
So we need Nonce for Kint.
line (445) in ResponseTrait.php.
That code is from a much earlier version. I think it is a bug, but left it for compatibility, because when CSP is off, the string {csp-style-nonce} is removed.
Thanks for the explanation Kenjis... .and sorry for the delayed response- this one seemed to drop off my radar... and only since I've now had more problems with this same issue and did an Internet search, did I find a link to this post (on an independent search engine)... that, to my surprise... was written by myself! Clearly the current drug dosages are no longer sufficient.
The problem is that, in having made use of a lot of in-line scripts (primarily in the form of onclick and onkeydown invocation of JavaScript functions downloaded in CSP-protected files), having the nonce always injected when CI_ENVIRONMENT = development appears to result in the site/s no longer being able to be run in the development environment whilst CSP is enabled (whereas in production, CPS can be enabled, whilst the nonce functionality can be disabled by setting $autoNonce to false). This behavior (under development and/or production) appears to be independent of whether the debug toolbar is enabled (in my case, I've never had the debug tool bar enabled for the last website development where this problem surfaced). As an aside, in my fiddling with this issue last night, I found that the script and style NonceTags do not get removed from the webpages under some conditions (even when CI_ENVIRONMENT = production). The reason for this is that the nonce functionality appears to have been assumed to be fully integrated with CSP functionality... which, agreed, it may be... however, the NonceTags one inserts manually into web-pages, although necessary for this functionality, are only a "flag" and should always be removed before the page is presented to the client browser, regardless of what CSP functionality has (or has not) been enabled. As such, I'd humbly suggest considering a minor modification to the CI code in order to remedy this situation: Code: In system/HTTP/ResponseTrait.php: And, in order to fetch the protected state of $autoNonce: Code: In system/HTTP/ContentSecurityPolicy.php: For the record, I've just upgraded to v4.4.4, from v4.3.1. |
Welcome Guest, Not a member yet? Register Sign In |