Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Render with nonce/hash parameter #847

Closed
screenager opened this issue Jul 13, 2018 · 20 comments
Closed

Render with nonce/hash parameter #847

screenager opened this issue Jul 13, 2018 · 20 comments
Labels

Comments

@screenager
Copy link

screenager commented Jul 13, 2018

As the default installation injects the code just before </body>, the script and assets will be blocked by the browser if you enforce strong CSP headers for injection protection.

It would be nice workaround if by setting 'inject' to false, and rendering the debugbar manually in your master template, one could also add nonce or hash parameter:

$renderer = Debugbar::getJavascriptRenderer();
echo $renderer->renderHead(['nonce' => 'ogCHUYO6kVuNXlvGPcB8dcFIM7p');
..
echo $renderer->render(['nonce' => 'ogCHUYO6kVuNXlvGPcB8dcFIM7p');

so the result would be something like

<link nonce="ogCHUYO6kVuNXlvGPcB8dcFIM7p" ..  />
..
<script type="text/javascript" nonce="ogCHUYO6kVuNXlvGPcB8dcFIM7p">
  var phpdebugbar = new PhpDebugBar.DebugBar();
  ..

Doesn't seem to me that #569 is related, but correct me if I'm wrong

@barryvdh
Copy link
Owner

Yeah I was having a similar problem, must see what the best way is. Perhaps a callback to set it or something.

@ncrewsSouthern
Copy link

Running into this same issue. I'm using https://github.com/spatie/laravel-csp to set policies and working through the console.log to resolve issues. I need to add nonce's to the Style and 2 script elements injected

@jannejava
Copy link

jannejava commented Apr 6, 2019

Any news on this? Trying to implement Spatie’s package too. Would be great to pass along a nonuce.

@dovca
Copy link

dovca commented May 7, 2019

Any progress? The debugbar is currently the only package blocking me from using CSP.

@jannejava
Copy link

Same for me. Currently disabled debugbar. Is there any way we can help or assist? @barryvdh you had some ideas?

@ncrewsSouthern
Copy link

For those using laravel-csp or trying to. looks like there is a config option to enable/disable in the ENV file, you could use this to drop the CSP policy/headers from dev/testing.

the following is found in config/csp.php( have not used or tested this yet )

'enabled' => env('CSP_ENABLED', true),

@jtallinger
Copy link

Would also like to see a proper fix for this issue. Disabling CSP locally is to ask for problem in production. :)

My current work around with Spatie/laravel-csp, in a custom policy:

// To allow Laravel debugbar and Whoops error handling in local environment
if (config('app.env') == 'local') {
    $this->reportOnly();
}

At least in that way it is possible to keep an eye in console for violations.

@liepumartins
Copy link

Still no progress?

Report only mode for local is poor workaround as debugbar will generate enormous amount of CSP warnings and the console becomes filled and unreadable.

Are we (CSP users) really such a minority?

@barryvdh
Copy link
Owner

barryvdh commented Mar 3, 2020

Sorry I don't use it often. But what is exactly required, just the nonce to the scripts? So we can extend https://github.com/barryvdh/laravel-debugbar/blob/master/src/JavascriptRenderer.php to inject a nonce in all script, but we need to have a way to determine the nonce. We could obviously just support Spatie and doe something like function_exists('csp_nonce'), or check if the View has a shared variable like in https://github.com/fruitcake/laravel-telescope-toolbar/blob/master/resources/views/head.blade.php

@jtallinger
Copy link

Thumbs up for the idea of function_exists('csp_nonce'), I'd guess that is what most users use anyway with Laravel. And if not using that package then option is to define and bootstrap own function named csp_nonce.

@barryvdh
Copy link
Owner

barryvdh commented Mar 3, 2020

Is thet script and style nonce always the same?

@barryvdh
Copy link
Owner

barryvdh commented Mar 3, 2020

We could also make it a config option, eg. define the callable in the config ('csp_callback' => 'csp_nonce') and use that.

@jtallinger
Copy link

With Spatie script and style use same nonce, I'd guess that is quite typical case for any usage of nonce.

@liepumartins
Copy link

liepumartins commented Mar 3, 2020

Callback idea sounds excellent as it would allow any CSP package or custom solution.
Yes, usually the nonce is the same for style and script tags.

Much appreciated!

But what is exactly required, just the nonce to the scripts?

Ultimately nonce for each inline block <script> and <style> and no use of element inline styles (<a style="color:red">)or inline scripts (<button onclick="func()">)

@barryvdh
Copy link
Owner

barryvdh commented Mar 3, 2020

Partial PR: #1013

@stale
Copy link

stale bot commented Jul 29, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
If this issue is still present on the latest version of this library on supported Laravel versions, please let us know by replying to this issue so we can investigate further.
Thank you for your contribution! Apologies for any delayed response on our side.

@stale stale bot added the stale label Jul 29, 2020
@stale stale bot closed this as completed Aug 5, 2020
@jtallinger
Copy link

For anyone coming here and wondering if this is solved and how to make it work. I solved it by using a recent version of the package (>Sep 2023 / version >3.12.2) and by adding following to app/Providers/AppServiceProvider.php (Laravel 10):

if ($this->app->isLocal()) {
    // Set CSP nonce for Laravel Debugbar during development
    if (class_exists(\Barryvdh\Debugbar\Facades\Debugbar::class) && app()->bound('debugbar')) {
        app('debugbar')->getJavascriptRenderer()->setCspNonce(csp_nonce());
    }
}

Finally no more CSP warnings during development. Thanks for an excellent package and thanks for the work to get this issue solved 😀 👍

@Seyid-cmd
Copy link

@jtallinger thank you, that works .

@marcobax
Copy link

@jtallinger Excellent stuff! I was digging through the source files too.

@MizouziE
Copy link

@jtallinger Thank you! This idea needs to be held up way higher so everyone can see it 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

10 participants