Conversation
michalsn
left a comment
michalsn
left a comment
There was a problem hiding this comment.
Seems like disabling enableScriptNonce / enableStyleNonce still adds nonce="..." to the HTML tag, but no longer adds the matching 'nonce-...' value to the CSP header. As a result, those inline <script> / <style> blocks will be blocked by the browser.
patel-vansh
force-pushed
the
feat/granular-nonces
branch
from
59c20bb to
d4275af
Compare
Done. Now both the header as well as the nonce="..." are removed from the html. |
|
Thank you. There is one place left: https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/Autoloader/Autoloader.php#L541 - it still fetches nonces based only on |
Done |
|
Please run: |
patel-vansh
force-pushed
the
feat/granular-nonces
branch
from
0099ac2 to
28e436d
Compare
Done |
|
Not related, but I saw that this action run failed without any related changes. And during the next commit check, it passed. |
3 participants
Description
This PR adds ability to have more control over whether to add nonces on style-src, style-src-elem, script-src and script-src-elem individually by introducing two new boolean variables in CSP config.
I am not sure this is the optimal solution for this feature, that's why I've made this draft PR for others to look at the implementation and provide necessary changes. That's why I haven't still updated the user guide or changelog.
Checklist: