Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums CodeIgniter 4 CodeIgniter 4 Support Noncense?
Noncense?
  • Offline Gary
    Member
  • ***
  • Posts: 187
    Threads: 36
    Joined: Oct 2019
    Reputation: 2
#4
Question  01-17-2024, 03:37 AM
(This post was last modified: 01-17-2024, 04:39 AM by Gary.)

Thanks for the explanation Kenjis... .and sorry for the delayed response- this one seemed to drop off my radar... and only since I've now had more problems with this same issue and did an Internet search, did I find a link to this post (on an independent search engine)... that, to my surprise... was written by myself!  Clearly the current drug dosages are no longer sufficient.

The problem is that, in having made use of a lot of in-line scripts (primarily in the form of onclick and onkeydown invocation of JavaScript functions downloaded in CSP-protected files), having the nonce always injected when CI_ENVIRONMENT = development appears to result in the site/s no longer being able to be run in the development environment whilst CSP is enabled (whereas in production, CPS can be enabled, whilst the nonce functionality can be disabled by setting $autoNonce to false).

This behavior (under development and/or production) appears to be independent of whether the debug toolbar is enabled (in my case, I've never had the debug tool bar enabled for the last website development where this problem surfaced).

As an aside, in my fiddling with this issue last night, I found that the script and style NonceTags do not get removed from the webpages under some conditions (even when CI_ENVIRONMENT = production).  The reason for this is that the nonce functionality appears to have been assumed to be fully integrated with CSP functionality... which, agreed, it may be... however, the NonceTags one inserts manually into web-pages, although necessary for this functionality, are only a "flag" and should always be removed before the page is presented to the client browser, regardless of what CSP functionality has (or has not) been enabled.  As such, I'd humbly suggest considering a minor modification to the CI code in order to remedy this situation:


Code:
In system/HTTP/ResponseTrait.php:

public function send()
{
    if (! $this->CSP->getAutoNonce()) {      // ensure any nonceTags on the page are always replaced when not being replaced elsewhere in the code
        $this->body = str_replace(['{csp-style-nonce}', '{csp-script-nonce}'], '', $this->body ?? '');
     }

     // If we're enforcing a Content Security Policy,
     // we need to give it a chance to build out it's headers.
     if ($this->CSP->enabled()) {
        $this->CSP->finalize($this);
     }
     //  else {    // having the fallback else over here will only replace nonceTags when CSP is disabled. What if CSP functionality is desired, only without nonces?
     //     $this->body = str_replace(['{csp-style-nonce}', '{csp-script-nonce}'], '', $this->body ?? '');
     // }
     ...

And, in order to fetch the protected state of $autoNonce:

Code:
In system/HTTP/ContentSecurityPolicy.php:

/**
* Whether Content Security Policy is being enforced.
*/
public function enabled(): bool
{
     return $this->CSPEnabled;
}

*** New getter function to recover the state of the protected $autoNonce flag ***
/**
* Whether autoNounce is set.
*/
public function getAutoNonce(): bool
{
     return $this->autoNonce;
}
...


For the record, I've just upgraded to v4.4.4, from v4.3.1.
Reply


Messages In This Thread
Noncense? - by Gary - 02-25-2023, 05:47 AM
RE: Noncense? - by kenjis - 02-26-2023, 07:28 PM
RE: Noncense? - by kenjis - 02-26-2023, 07:32 PM
RE: Noncense? - by Gary - 01-17-2024, 03:37 AM



Theme © iAndrew 2016 - Forum software by © MyBB