From 24f1514267276a66f4f8540e110b4c93f6980d21 Mon Sep 17 00:00:00 2001 From: Paulo Lima Date: Sat, 12 Nov 2022 16:53:39 -0300 Subject: [PATCH 1/3] Make CSP nonce optional Added a config option to make nonce optional. There are many situations using third-party libs from google and others that doesn't work with nonces enabled. --- system/HTTP/ContentSecurityPolicy.php | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php index 4f912a8ea011..46dae21fc257 100644 --- a/system/HTTP/ContentSecurityPolicy.php +++ b/system/HTTP/ContentSecurityPolicy.php @@ -210,6 +210,13 @@ class ContentSecurityPolicy * @var bool */ protected $autoNonce = true; + + /** + * When enabled will add nonce to script, style and headers otherwise nonces will be disabled. + * + * @var boolean + */ + protected $nounceEnabled = false; /** * An array of header info since we have @@ -677,7 +684,7 @@ protected function generateNonces(ResponseInterface $response) $body = preg_replace_callback($pattern, function ($match) { $nonce = $match[0] === $this->styleNonceTag ? $this->getStyleNonce() : $this->getScriptNonce(); - return "nonce=\"{$nonce}\""; + return $this->nounceEnabled === false ? "" : "nonce=\"{$nonce}\""; }, $body); $response->setBody($body); @@ -788,7 +795,11 @@ protected function addToHeader(string $name, $values = null) } if (strpos($value, 'nonce-') === 0) { - $value = "'{$value}'"; + if ($this->nounceEnabled === false) { + $value = str_replace('nonce-', '', $value); + } else { + $value = "'{$value}'"; + } } if ($reportOnly === true) { From e2a0a43b3945b07476e46894d92c3302e3cd334a Mon Sep 17 00:00:00 2001 From: Paulo Lima Date: Sat, 12 Nov 2022 17:06:13 -0300 Subject: [PATCH 2/3] Make CSP nonce Added option to make nonce optional with default value set to true due to backwards compatibility. --- app/Config/ContentSecurityPolicy.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/app/Config/ContentSecurityPolicy.php b/app/Config/ContentSecurityPolicy.php index 0be616301fb9..5500f74a0646 100644 --- a/app/Config/ContentSecurityPolicy.php +++ b/app/Config/ContentSecurityPolicy.php @@ -185,4 +185,12 @@ class ContentSecurityPolicy extends BaseConfig * @var bool */ public $autoNonce = true; + + /** + * When enabled will add nonce to script, style and headers. + * + * @var bool + */ + public $nonceEnabled = true; + } From 00f859836744b3db5faef8acb00db4b9881b743e Mon Sep 17 00:00:00 2001 From: Paulo Lima Date: Sat, 12 Nov 2022 17:07:23 -0300 Subject: [PATCH 3/3] fixed typo --- system/HTTP/ContentSecurityPolicy.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php index 46dae21fc257..cb39865ba200 100644 --- a/system/HTTP/ContentSecurityPolicy.php +++ b/system/HTTP/ContentSecurityPolicy.php @@ -216,7 +216,7 @@ class ContentSecurityPolicy * * @var boolean */ - protected $nounceEnabled = false; + protected $nonceEnabled = false; /** * An array of header info since we have @@ -684,7 +684,7 @@ protected function generateNonces(ResponseInterface $response) $body = preg_replace_callback($pattern, function ($match) { $nonce = $match[0] === $this->styleNonceTag ? $this->getStyleNonce() : $this->getScriptNonce(); - return $this->nounceEnabled === false ? "" : "nonce=\"{$nonce}\""; + return $this->nonceEnabled === false ? "" : "nonce=\"{$nonce}\""; }, $body); $response->setBody($body); @@ -795,7 +795,7 @@ protected function addToHeader(string $name, $values = null) } if (strpos($value, 'nonce-') === 0) { - if ($this->nounceEnabled === false) { + if ($this->nonceEnabled === false) { $value = str_replace('nonce-', '', $value); } else { $value = "'{$value}'";