Skip to content

Commit

Permalink
added support for Content Security Policy script-src: 'nonce-....' [C…
Browse files Browse the repository at this point in the history
…loses nette#136]
  • Loading branch information
dg committed Jan 13, 2017
1 parent 64477e1 commit b1b36cf
Show file tree
Hide file tree
Showing 6 changed files with 24 additions and 8 deletions.
1 change: 1 addition & 0 deletions src/Tracy/Bar.php
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@ public function render()
}

if (Helpers::isHtmlMode()) {
$nonce = Helpers::getNonce();
require __DIR__ . '/assets/Bar/loader.phtml';
}
}
Expand Down
1 change: 1 addition & 0 deletions src/Tracy/BlueScreen.php
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,7 @@ private function renderTemplate($exception, $template)
Dumper::LOCATION => Dumper::LOCATION_CLASS,
]);
};
$nonce = Helpers::getNonce();

require $template;
}
Expand Down
9 changes: 9 additions & 0 deletions src/Tracy/Helpers.php
Original file line number Diff line number Diff line change
Expand Up @@ -238,4 +238,13 @@ public static function isAjax()
return isset($_SERVER['HTTP_X_TRACY_AJAX']) && preg_match('#^\w{10}\z#', $_SERVER['HTTP_X_TRACY_AJAX']);
}


/** @internal */
public static function getNonce()
{
return preg_match('#^Content-Security-Policy:.*\sscript-src\s+(?:[^;]+\s)?\'nonce-([\w+/]+=*)\'#mi', implode("\n", headers_list()), $m)
? $m[1]
: NULL;
}

}
2 changes: 2 additions & 0 deletions src/Tracy/assets/Bar/bar.js
Original file line number Diff line number Diff line change
Expand Up @@ -400,6 +400,7 @@
}
Debug.scriptElem = document.createElement('script');
Debug.scriptElem.src = url;
Debug.scriptElem.setAttribute('nonce', layer.dataset.nonce);
document.documentElement.appendChild(Debug.scriptElem);
};

Expand All @@ -408,6 +409,7 @@
if ((!script.hasAttribute('type') || script.type === 'text/javascript' || script.type === 'application/javascript') && !script.tracyEvaluated) {
var dolly = script.ownerDocument.createElement('script');
dolly.textContent = script.textContent;
dolly.setAttribute('nonce', layer.dataset.nonce);
script.ownerDocument.body.appendChild(dolly);
script.tracyEvaluated = true;
}
Expand Down
9 changes: 5 additions & 4 deletions src/Tracy/assets/Bar/loader.phtml
Original file line number Diff line number Diff line change
Expand Up @@ -13,18 +13,19 @@ namespace Tracy;

use Tracy;

$nonceAttr = $nonce ? ' nonce="' . Helpers::escapeHtml($nonce) . '"' : '';
?>




<!-- Tracy Debug Bar -->
<div id="tracy-debug" data-id="<?= htmlspecialchars($contentId) ?>"></div>
<div id="tracy-debug" data-id="<?= Helpers::escapeHtml($contentId) ?>" data-nonce="<?= $nonce ?>"></div>
<?php if ($contentId): ?>
<script src="?_tracy_bar=<?= urlencode("content.$contentId") ?>&amp;XDEBUG_SESSION_STOP=1"></script>
<script src="?_tracy_bar=<?= urlencode("content.$contentId") ?>&amp;XDEBUG_SESSION_STOP=1"<?= $nonceAttr ?>></script>
<?php else: ?>
<script src="?_tracy_bar=js&amp;v=<?= urlencode(Debugger::VERSION) ?>&amp;XDEBUG_SESSION_STOP=1"></script>
<script>
<script src="?_tracy_bar=js&amp;v=<?= urlencode(Debugger::VERSION) ?>&amp;XDEBUG_SESSION_STOP=1"<?= $nonceAttr ?>></script>
<script<?= $nonceAttr ?>>
Tracy.Debug.init(<?= json_encode($content) ?>, <?= json_encode($dumps) ?>);
</script>
<?php endif ?>
10 changes: 6 additions & 4 deletions src/Tracy/assets/BlueScreen/page.phtml
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,14 @@
*
* @param array $exception
* @param string $title
* @param string $nonce
* @return void
*/

namespace Tracy;

$code = $exception->getCode() ? ' #' . $exception->getCode() : '';
$nonceAttr = $nonce ? ' nonce="' . Helpers::escapeHtml($nonce) . '"' : '';

?><!DOCTYPE html><!-- "' --></script></style></pre></xmp></table></a></abbr></address></article></aside></audio></b></bdi></bdo></blockquote></button></canvas></caption></cite></code></datalist></del></details></dfn></div></dl></em></fieldset></figcaption></figure></footer></form></h1></h2></h3></h4></h5></h6></header></hgroup></i></iframe></ins></kbd></label></legend></map></mark></menu></meter></nav></noscript></object></ol></optgroup></output></progress></q></rp></rt></ruby></s></samp></section></select></small></span></strong></sub></summary></sup></textarea></time></title></tr></u></ul></var></video>
<html>
Expand All @@ -30,14 +32,14 @@ $code = $exception->getCode() ? ' #' . $exception->getCode() : '';
<style type="text/css" class="tracy-debug">
<?= preg_replace('#[\r\n\t ]+#', ' ', file_get_contents(__DIR__ . '/bluescreen.css')) ?>
</style>
<script>document.documentElement.className+=' tracy-js'</script>
<script<?= $nonceAttr ?>>document.documentElement.className+=' tracy-js'</script>
</head>


<body>
<?php require __DIR__ . '/content.phtml' ?>

<script>
<script<?= $nonceAttr ?>>
(function() {
if (!document.documentElement.dataset) {
document.getElementById('tracy-bs-error').innerHTML += '<div id=tracy-bs-ie-warning>Warning: Tracy requires IE 11+<\/div>';
Expand All @@ -48,10 +50,10 @@ $code = $exception->getCode() ? ' #' . $exception->getCode() : '';
<?php readfile(__DIR__ . '/bluescreen.js') ?>
})();
</script>
<script>
<script<?= $nonceAttr ?>>
Tracy && Tracy.Dumper.init(<?= json_encode(Dumper::fetchLiveData()) ?>);
</script>
<script>
<script<?= $nonceAttr ?>>
Tracy && Tracy.BlueScreen.init();
</script>
</body>
Expand Down

0 comments on commit b1b36cf

Please sign in to comment.