Proposal: HTTP Response - Fix CSP non existing object when CSP is dis…

…abled If CSP is disabled property $CSP in HTTP/Response is not initialized. If we try to access the CSP methods on the request object anywhere in code with CSP disabled it will crash the framework with "Call to a member function …. on null " In order to avoid this CSP object can be initiated regardless of CSP config. I’m aware that this is not the most efficient way to bypass the issue but some mechanism for disabling CSP should exist without having to do modifications everywhere in code. Maybe better idea will be to create mock class to be loaded instead which will respond with catchall magic methods like __call __set __get ….. But I don’t know if it is worth doing it as it will require adding additional class in framework. Ref #2456
codeigniter4 · Jan 22, 2020 · 9ea27aa · 9ea27aa
1 parent fedae3c
commit 9ea27aa
Showing 1 changed file with 3 additions and 6 deletions.
diff --git a/system/HTTP/Response.php b/system/HTTP/Response.php
@@ -239,13 +239,10 @@ public function __construct($config)
 		// Also ensures that a Cache-control header exists.
 		$this->noCache();
 
-		// Are we enforcing a Content Security Policy?
-		if ($config->CSPEnabled === true)
-		{
-			$this->CSP        = new ContentSecurityPolicy(new \Config\ContentSecurityPolicy());
-			$this->CSPEnabled = true;
-		}
+		// We need CSP object even if not enabled to avoid calls to non existing methods
+		$this->CSP = new ContentSecurityPolicy(new \Config\ContentSecurityPolicy());
 
+		$this->CSPEnabled     = $config->CSPEnabled;
 		$this->cookiePrefix   = $config->cookiePrefix;
 		$this->cookieDomain   = $config->cookieDomain;
 		$this->cookiePath     = $config->cookiePath;