Login

wine-fine · 08-01-2023, 01:30 AM

Hi, I hope I did not overlook an answer already given here, didn't find one

I've enabled CSP for my site, the header is sent, and any style is rejected, or the nonce set – all as planned

When I enter some data to my CMS – the CSP header is NOT sent.

eg. mysite/admin -> header sent

mysite/admin/update/123/content/456 -> header is not sent

The practical difference: without CSP a spell check extension for the browser works, with CSP it does not.

So I'ld like to find out, where to modify this CI4 behavior

thanks for help, regards, thomas

***kenjis*** · 08-01-2023, 02:03 AM

The CSP header is sent automatically by the framework Response class.
So if it is not sent,

1. The URL is not served by the framework. (The web server serves the content.)
2. You do not use the framework Response. (You send the response by yourself and call exit().)

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

wine-fine · 08-01-2023, 02:18 AM

(08-01-2023, 02:03 AM)kenjis Wrote: The CSP header is sent automatically by the framework Response class.
So if it is not sent,

1. The URL is not served by the framework. (The web server serves the content.)
2. You do not use the framework Response. (You send the response by yourself and call exit().)

Thanks for the hint. There was a hidden exit() somewhere hidden behind the trees