Noncense?

Is this a bug in v4.3.1... or am I talking nonsense?  [ Still applicable to v4.4.4 ]

When .env is set as follows:

Code:

#--------------------------------------------------------------------
# ENVIRONMENT
#--------------------------------------------------------------------
CI_ENVIRONMENT = production

Everything with regards to Nonce insertions is as I'd expect... (well, at least as far as I've tested).

However, with .env set as:

Code:

#--------------------------------------------------------------------
# ENVIRONMENT
#--------------------------------------------------------------------
CI_ENVIRONMENT = development

It appear that Nonces are ALWAYS inserted into the CSP header (if CSP is enabled using: $CSPEnabled = true; ) when in the CI_ENVIRONMENT is set to development... regardless of whether they've been "requested" (or not) using:

Code:

public bool $autoNonce = true / false;

Which results in warnings and errors like these when one is working on the code (and the particular pieces in the webpage obviously don't work):

Code:

14:27:45.765 Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
14:27:45.874 Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).
14:27:45.875 Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

Yes, I understand that Nonces can be inserted manually... so the $autoNonce may(?) ALSO  apply to this use-case (and be necessary for insertion into the main CSP header still if it were being used with manual insertion... or not(?)), regardless of this... the fact that there is (unexpected) distinctly different behaviour between production and development is what makes me consider this as possibly being a bug.

If $autoNonce is indeed necessary for the manual insertion functions to work (so as to have the nonce automatically injected into the CSP header), it would seem likely that an additional setting is required somewhere... something like an $enableNonce, that enables or disables the CSP header insertion... which then could be used automatically (with $autoNonce) or manually via the CI nonce-insertion commands (?).

... or is this just complete and utter noncense?


As an aside, I see that the "content-security-policy-report-only:" header is ALWAYS set (even if it's empty)... which, possibly isn't an "error", however this causes some browsers to flag it as a warning every time the page is loaded:

Code:

14:27:45.765 Content Security Policy: This site (https://pig.pen) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy.

Offhand, I'm not sure of what the RFC calls for, but it would seem more sensible (to this Ignorant at least) to NOT include this header if it was empty (?).

And whilst we're about it... without having looked at it in detail... it would appear that this line (445) in ResponseTrait.php should possibly reference the variables that give the specified names of {csp-style-nonce} and {csp-script-nonce} (in ContentSecurityPolicy.php), rather than the respective (hard-coded) text (?):

Code:

$this->body = str_replace(['{csp-style-nonce}', '{csp-script-nonce}'], '', $this->body ?? '');