Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP + DebugBar #1165

Closed
nowackipawel opened this issue Aug 17, 2018 · 6 comments
Closed

CSP + DebugBar #1165

nowackipawel opened this issue Aug 17, 2018 · 6 comments

Comments

@nowackipawel
Copy link
Contributor

nowackipawel commented Aug 17, 2018
edited
Loading

Hi there, I'm not an CSP expert.
I configured CSP with self and required domains (for script style and fonts) and everything was gr8 until DebugToolbar was turned on . Even if all of toolbar's tabs seams to work ok... there are errors in console:

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”). Source: onclick attribute on A element. [only once]
Content Security Policy: The page’s settings blocked the loading of a resource at self (“style-src”). [repated when tab is changed]
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”). [repated when tab is changed]

[nginx/php7.2/debian + ff / iridium]

... actually iridium (chrome) gave me more details:
?debugbar:49 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' https://maxcdn.bootstrapcdn.com/ https://use.fontawesome.com/ 'nonce-fd68498a9d2a9ea28cd45f26'". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

xhttp.onreadystatechange @ ?debugbar:49

I think problem is not with first html code which is generated by DebugToolbar but when it tried to apply additional scripts/styles.
@lonnieezell
Copy link
Member

Are you using the latest version of the develop branch? I remember a patch came through not very long ago that set {csp_nonce} in the html for the toolbar which should have fixed that error.

@nowackipawel
Copy link
Contributor Author

Unfortunately my version of /system/Debug/Toolbar/toolbarloader.js.php and /application/Filters/DebugToolbar.php are the same as here :(.

@puschie286
Copy link
Contributor

puschie286 commented Aug 20, 2018
edited
Loading

your errors are "normal" and can be ignored because they doesnt effect your site at all. the latest toolbar changes should only allow use with csp protection enabled and development environment.

@nowackipawel nowackipawel mentioned this issue Aug 22, 2018
Closed
@jim-parry
Copy link
Contributor

Kint issue? out-of-scope for us? No further info in 3 months.

@crustamet
Copy link
Contributor

I don`t know about you guys but I just created a new Codeigniter 4 project with the latest updates on PHP 8.1.2
And this problem still persist when I use development environment with the debugbar {csp-style-nonce} just not replacing in development mode or if it does replace it replace with empty.

image
image

@crustamet
Copy link
Contributor

I guess is hard to make a js file that does not use scripts inline and include them

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@lonnieezell @puschie286 @jim-parry @nowackipawel @crustamet