Merge pull request #8 from GravitateNZ/fixes

updates to csp headers for styles vs scripts

src/Twig/CspExtension.php

@@ -17,7 +17,7 @@
 class CspExtension extends AbstractExtension
 {
 
-    protected ?string $nonce = null;
+    protected array|null $nonce = [];
 
     public function __construct(protected CspHeaderListener $listener)
     {}
@@ -47,11 +47,11 @@ public function getTokenParsers(): array
     public function addCspNonce(string $directive = 'script-src'): string
     {
         //generate a nonce, return it and stuff it into a page...
-        if (!$this->nonce) {
-            $this->nonce = base64_encode(random_bytes(32));
-            $this->listener->addCspDirective($directive, "'nonce-{$this->nonce}'");
+        if (!isset($this->nonce[$directive])) {
+            $this->nonce[$directive] = base64_encode(random_bytes(32));
+            $this->listener->addCspDirective($directive, "'nonce-{$this->nonce[$directive]}'");
         }
-        return $this->nonce;
+        return $this->nonce[$directive];
     }
 
     public function hash(string $body, string $algo = 'sha384'): array

tests/CspNonceExtensionTest.php

@@ -46,4 +46,25 @@ public function testNonce(): void
         $this->assertStringContainsString("'nonce-{$nonce}'", $h);
 
     }
+
+
+    public function testCssNonce(): void
+    {
+        $scriptNonce = $this->extension->addCspNonce('script-src');
+        $styleNonce = $this->extension->addCspNonce('style-src');
+        $this->assertNotNull($scriptNonce);
+        $this->assertNotNull($styleNonce);
+
+        $this->assertNotEquals($styleNonce, $scriptNonce);
+
+        $this->assertEquals($scriptNonce, $this->extension->addCspNonce());
+        $this->assertEquals($styleNonce, $this->extension->addCspNonce('style-src'));
+
+        $h = $this->extension->getListener()->getCspHeader();
+
+        $this->assertStringContainsString("'nonce-{$scriptNonce}'", $h);
+        $this->assertStringContainsString("'nonce-{$styleNonce}'", $h);
+
+    }
+
 }