-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Render with nonce/hash parameter #847
Comments
Yeah I was having a similar problem, must see what the best way is. Perhaps a callback to set it or something. |
Running into this same issue. I'm using https://github.com/spatie/laravel-csp to set policies and working through the console.log to resolve issues. I need to add nonce's to the Style and 2 script elements injected |
Any news on this? Trying to implement Spatie’s package too. Would be great to pass along a nonuce. |
Any progress? The debugbar is currently the only package blocking me from using CSP. |
Same for me. Currently disabled debugbar. Is there any way we can help or assist? @barryvdh you had some ideas? |
For those using laravel-csp or trying to. looks like there is a config option to enable/disable in the ENV file, you could use this to drop the CSP policy/headers from dev/testing. the following is found in config/csp.php( have not used or tested this yet )
|
Would also like to see a proper fix for this issue. Disabling CSP locally is to ask for problem in production. :) My current work around with Spatie/laravel-csp, in a custom policy:
At least in that way it is possible to keep an eye in console for violations. |
Still no progress? Report only mode for local is poor workaround as debugbar will generate enormous amount of CSP warnings and the console becomes filled and unreadable. Are we (CSP users) really such a minority? |
Sorry I don't use it often. But what is exactly required, just the nonce to the scripts? So we can extend https://github.com/barryvdh/laravel-debugbar/blob/master/src/JavascriptRenderer.php to inject a nonce in all script, but we need to have a way to determine the nonce. We could obviously just support Spatie and doe something like |
Thumbs up for the idea of |
Is thet script and style nonce always the same? |
We could also make it a config option, eg. define the callable in the config ( |
With Spatie script and style use same nonce, I'd guess that is quite typical case for any usage of nonce. |
Callback idea sounds excellent as it would allow any CSP package or custom solution. Much appreciated!
Ultimately nonce for each inline block |
Partial PR: #1013 |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
For anyone coming here and wondering if this is solved and how to make it work. I solved it by using a recent version of the package (>Sep 2023 / version >3.12.2) and by adding following to app/Providers/AppServiceProvider.php (Laravel 10): if ($this->app->isLocal()) {
// Set CSP nonce for Laravel Debugbar during development
if (class_exists(\Barryvdh\Debugbar\Facades\Debugbar::class) && app()->bound('debugbar')) {
app('debugbar')->getJavascriptRenderer()->setCspNonce(csp_nonce());
}
} Finally no more CSP warnings during development. Thanks for an excellent package and thanks for the work to get this issue solved 😀 👍 |
@jtallinger thank you, that works . |
@jtallinger Excellent stuff! I was digging through the source files too. |
@jtallinger Thank you! This idea needs to be held up way higher so everyone can see it 🙏 |
As the default installation injects the code just before
</body>,
the script and assets will be blocked by the browser if you enforce strong CSP headers for injection protection.It would be nice workaround if by setting 'inject' to false, and rendering the debugbar manually in your master template, one could also add nonce or hash parameter:
so the result would be something like
Doesn't seem to me that #569 is related, but correct me if I'm wrong
The text was updated successfully, but these errors were encountered: