From f43a6b41a8ed6b2a8c814b2360a52a0fa384b3fb Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Fri, 31 Dec 2021 11:45:01 +0900
Subject: [PATCH 01/24] refactor: move $CSPEnabled from Response to
 ContentSecurityPolicy

ContentSecurityPolicy will be needed out of Response.
---
 system/HTTP/ContentSecurityPolicy.php | 23 +++++++++++++++++++++++
 system/HTTP/Response.php              |  3 +++
 system/HTTP/ResponseTrait.php         |  4 +++-
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
index 3b18fc8bf1df..cee4c92b9d37 100644
--- a/system/HTTP/ContentSecurityPolicy.php
+++ b/system/HTTP/ContentSecurityPolicy.php
@@ -192,6 +192,13 @@ class ContentSecurityPolicy
      */
     protected $reportOnlyHeaders = [];
 
+    /**
+     * Whether Content Security Policy is being enforced.
+     *
+     * @var bool
+     */
+    protected $CSPEnabled = false;
+
     /**
      * Constructor.
      *
@@ -206,6 +213,22 @@ public function __construct(ContentSecurityPolicyConfig $config)
         }
     }
 
+    /**
+     * Enable CSP
+     */
+    public function enable(): void
+    {
+        $this->CSPEnabled = true;
+    }
+
+    /**
+     * Whether Content Security Policy is being enforced.
+     */
+    public function enabled(): bool
+    {
+        return $this->CSPEnabled;
+    }
+
     /**
      * Compiles and sets the appropriate headers in the request.
      *
diff --git a/system/HTTP/Response.php b/system/HTTP/Response.php
index 8e2cc472cc00..f25962d6af37 100644
--- a/system/HTTP/Response.php
+++ b/system/HTTP/Response.php
@@ -155,6 +155,9 @@ public function __construct($config)
         $this->CSP = new ContentSecurityPolicy(new CSPConfig());
 
         $this->CSPEnabled = $config->CSPEnabled;
+        if ($config->CSPEnabled) {
+            $this->CSP->enable();
+        }
 
         // DEPRECATED COOKIE MANAGEMENT
 
diff --git a/system/HTTP/ResponseTrait.php b/system/HTTP/ResponseTrait.php
index 278143fd3c3a..412e7b970e7c 100644
--- a/system/HTTP/ResponseTrait.php
+++ b/system/HTTP/ResponseTrait.php
@@ -38,6 +38,8 @@ trait ResponseTrait
      * Whether Content Security Policy is being enforced.
      *
      * @var bool
+     *
+     * @deprecated Use $this->CSP->enabled() instead.
      */
     protected $CSPEnabled = false;
 
@@ -433,7 +435,7 @@ public function send()
     {
         // If we're enforcing a Content Security Policy,
         // we need to give it a chance to build out it's headers.
-        if ($this->CSPEnabled === true) {
+        if ($this->CSP->enabled()) {
             $this->CSP->finalize($this);
         } else {
             $this->body = str_replace(['{csp-style-nonce}', '{csp-script-nonce}'], '', $this->body ?? '');

From 434f90ac4f9b33e1d9bf772254221d79019389a7 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Fri, 31 Dec 2021 11:53:01 +0900
Subject: [PATCH 02/24] feat: add methods to get nonces

---
 system/HTTP/ContentSecurityPolicy.php         | 38 +++++++++++++++++++
 .../system/HTTP/ContentSecurityPolicyTest.php | 18 +++++++++
 2 files changed, 56 insertions(+)

diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
index cee4c92b9d37..baf42ff6193d 100644
--- a/system/HTTP/ContentSecurityPolicy.php
+++ b/system/HTTP/ContentSecurityPolicy.php
@@ -176,6 +176,20 @@ class ContentSecurityPolicy
      */
     protected $nonces = [];
 
+    /**
+     * Nonce for style
+     *
+     * @var string
+     */
+    protected $styleNonce;
+
+    /**
+     * Nonce for script
+     *
+     * @var string
+     */
+    protected $scriptNonce;
+
     /**
      * An array of header info since we have
      * to build ourself before passing to Response.
@@ -229,6 +243,30 @@ public function enabled(): bool
         return $this->CSPEnabled;
     }
 
+    /**
+     * Get the nonce for the style tag.
+     */
+    public function getStyleNonce(): string
+    {
+        if ($this->styleNonce === null) {
+            $this->styleNonce = bin2hex(random_bytes(12));
+        }
+
+        return $this->styleNonce;
+    }
+
+    /**
+     * Get the nonce for the script tag.
+     */
+    public function getScriptNonce(): string
+    {
+        if ($this->scriptNonce === null) {
+            $this->scriptNonce = bin2hex(random_bytes(12));
+        }
+
+        return $this->scriptNonce;
+    }
+
     /**
      * Compiles and sets the appropriate headers in the request.
      *
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
index 0bbb6f60f988..8d70c4929cd0 100644
--- a/tests/system/HTTP/ContentSecurityPolicyTest.php
+++ b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -519,4 +519,22 @@ public function testCSPDisabled()
 
         $this->assertHeaderNotEmitted('content-security-policy', true);
     }
+
+    public function testGetScriptNonce()
+    {
+        $this->prepare();
+
+        $nonce = $this->csp->getScriptNonce();
+
+        $this->assertMatchesRegularExpression('/[0-9a-z]{24}/', $nonce);
+    }
+
+    public function testGetStyleNonce()
+    {
+        $this->prepare();
+
+        $nonce = $this->csp->getStyleNonce();
+
+        $this->assertMatchesRegularExpression('/[0-9a-z]{24}/', $nonce);
+    }
 }

From c45cfcb622365bf9b288f52fa2e56874e3354a41 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Fri, 31 Dec 2021 12:53:08 +0900
Subject: [PATCH 03/24] refactor: output only one nonce

Outputting multiple nonces do not improve security.
One is enough.
---
 system/HTTP/ContentSecurityPolicy.php | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
index baf42ff6193d..540b5ab86789 100644
--- a/system/HTTP/ContentSecurityPolicy.php
+++ b/system/HTTP/ContentSecurityPolicy.php
@@ -651,21 +651,25 @@ protected function generateNonces(ResponseInterface &$response)
 
         // Replace style placeholders with nonces
         $body = preg_replace_callback('/{csp-style-nonce}/', function () {
-            $nonce = bin2hex(random_bytes(12));
-
-            $this->styleSrc[] = 'nonce-' . $nonce;
+            $nonce = $this->getStyleNonce();
 
             return "nonce=\"{$nonce}\"";
-        }, $body);
+        }, $body, -1, $count);
+
+        if ($count > 0) {
+            $this->styleSrc[] = 'nonce-' . $this->styleNonce;
+        }
 
         // Replace script placeholders with nonces
         $body = preg_replace_callback('/{csp-script-nonce}/', function () {
-            $nonce = bin2hex(random_bytes(12));
-
-            $this->scriptSrc[] = 'nonce-' . $nonce;
+            $nonce = $this->getScriptNonce();
 
             return "nonce=\"{$nonce}\"";
-        }, $body);
+        }, $body, -1, $count);
+
+        if ($count > 0) {
+            $this->scriptSrc[] = 'nonce-' . $this->scriptNonce;
+        }
 
         $response->setBody($body);
     }

From 6be16a8c5c776e02d9a72064e06425d8e7a4034a Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Fri, 31 Dec 2021 13:26:08 +0900
Subject: [PATCH 04/24] feat: custom nonce tags

---
 app/Config/ContentSecurityPolicy.php          | 14 ++++++++
 env                                           |  2 ++
 system/HTTP/ContentSecurityPolicy.php         | 20 +++++++++--
 .../system/HTTP/ContentSecurityPolicyTest.php | 33 +++++++++++++++++++
 4 files changed, 67 insertions(+), 2 deletions(-)

diff --git a/app/Config/ContentSecurityPolicy.php b/app/Config/ContentSecurityPolicy.php
index 6fa5bd7b4cc7..b4450d5ed422 100644
--- a/app/Config/ContentSecurityPolicy.php
+++ b/app/Config/ContentSecurityPolicy.php
@@ -164,4 +164,18 @@ class ContentSecurityPolicy extends BaseConfig
      * @var string|string[]|null
      */
     public $sandbox;
+
+    /**
+     * Nonce tag for style
+     *
+     * @var string
+     */
+    public $styleNonceTag = '{csp-style-nonce}';
+
+    /**
+     * Nonce tag for script
+     *
+     * @var string
+     */
+    public $scriptNonceTag = '{csp-script-nonce}';
 }
diff --git a/env b/env
index c60b367265e7..7b52d6690441 100644
--- a/env
+++ b/env
@@ -73,6 +73,8 @@
 # contentsecuritypolicy.reportURI = null
 # contentsecuritypolicy.sandbox = false
 # contentsecuritypolicy.upgradeInsecureRequests = false
+# contentsecuritypolicy.styleNonceTag = '{csp-style-nonce}'
+# contentsecuritypolicy.scriptNonceTag = '{csp-script-nonce}'
 
 #--------------------------------------------------------------------
 # COOKIE
diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
index 540b5ab86789..fb70c613549a 100644
--- a/system/HTTP/ContentSecurityPolicy.php
+++ b/system/HTTP/ContentSecurityPolicy.php
@@ -190,6 +190,20 @@ class ContentSecurityPolicy
      */
     protected $scriptNonce;
 
+    /**
+     * Nonce tag for style
+     *
+     * @var string
+     */
+    protected $styleNonceTag = '{csp-style-nonce}';
+
+    /**
+     * Nonce tag for script
+     *
+     * @var string
+     */
+    protected $scriptNonceTag = '{csp-script-nonce}';
+
     /**
      * An array of header info since we have
      * to build ourself before passing to Response.
@@ -650,7 +664,8 @@ protected function generateNonces(ResponseInterface &$response)
         }
 
         // Replace style placeholders with nonces
-        $body = preg_replace_callback('/{csp-style-nonce}/', function () {
+        $pattern = '/' . preg_quote($this->styleNonceTag, '/') . '/';
+        $body    = preg_replace_callback($pattern, function () {
             $nonce = $this->getStyleNonce();
 
             return "nonce=\"{$nonce}\"";
@@ -661,7 +676,8 @@ protected function generateNonces(ResponseInterface &$response)
         }
 
         // Replace script placeholders with nonces
-        $body = preg_replace_callback('/{csp-script-nonce}/', function () {
+        $pattern = '/' . preg_quote($this->scriptNonceTag, '/') . '/';
+        $body    = preg_replace_callback($pattern, function () {
             $nonce = $this->getScriptNonce();
 
             return "nonce=\"{$nonce}\"";
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
index 8d70c4929cd0..5525309d7a2f 100644
--- a/tests/system/HTTP/ContentSecurityPolicyTest.php
+++ b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -13,6 +13,7 @@
 
 use CodeIgniter\Test\CIUnitTestCase;
 use Config\App;
+use Config\ContentSecurityPolicy as CSPConfig;
 
 /**
  * Test the CSP policy directive creation.
@@ -463,6 +464,22 @@ public function testBodyScriptNonce()
         $this->assertStringContainsString('nonce-', $result);
     }
 
+    public function testBodyScriptNonceCustomScriptTag()
+    {
+        $config                 = new CSPConfig();
+        $config->scriptNonceTag = '{custom-script-nonce-tag}';
+        $csp                    = new ContentSecurityPolicy($config);
+
+        $response = new Response(new App());
+        $response->pretend(true);
+        $body = 'Blah blah {custom-script-nonce-tag} blah blah';
+        $response->setBody($body);
+
+        $csp->finalize($response);
+
+        $this->assertStringContainsString('nonce=', $response->getBody());
+    }
+
     /**
      * @runInSeparateProcess
      * @preserveGlobalState  disabled
@@ -481,6 +498,22 @@ public function testBodyStyleNonce()
         $this->assertStringContainsString('nonce-', $result);
     }
 
+    public function testBodyStyleNonceCustomStyleTag()
+    {
+        $config                = new CSPConfig();
+        $config->styleNonceTag = '{custom-style-nonce-tag}';
+        $csp                   = new ContentSecurityPolicy($config);
+
+        $response = new Response(new App());
+        $response->pretend(true);
+        $body = 'Blah blah {custom-style-nonce-tag} blah blah';
+        $response->setBody($body);
+
+        $csp->finalize($response);
+
+        $this->assertStringContainsString('nonce=', $response->getBody());
+    }
+
     /**
      * @runInSeparateProcess
      * @preserveGlobalState  disabled

From 7a75b89b8b7aed4a9ad4f5f76805428b4c3216a6 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Fri, 31 Dec 2021 13:49:53 +0900
Subject: [PATCH 05/24] feat: add csp_style_nonce() and csp_script_nonce()

---
 system/Common.php                    | 35 ++++++++++++++++++++++++++++
 tests/system/CommonFunctionsTest.php | 10 ++++++++
 2 files changed, 45 insertions(+)

diff --git a/system/Common.php b/system/Common.php
index e2fa9bce5a33..80a7dc013944 100644
--- a/system/Common.php
+++ b/system/Common.php
@@ -21,6 +21,7 @@
 use CodeIgniter\HTTP\Exceptions\HTTPException;
 use CodeIgniter\HTTP\RedirectResponse;
 use CodeIgniter\HTTP\RequestInterface;
+use CodeIgniter\HTTP\Response;
 use CodeIgniter\HTTP\ResponseInterface;
 use CodeIgniter\HTTP\URI;
 use CodeIgniter\Model;
@@ -288,6 +289,40 @@ function csrf_meta(?string $id = null): string
     }
 }
 
+if (! function_exists('csp_style_nonce')) {
+    /**
+     * Generates a nonce attribute for style tag.
+     */
+    function csp_style_nonce(): string
+    {
+        /** @var Response $response */
+        $response = Services::response();
+
+        if (! $response->CSP->enabled()) {
+            return '';
+        }
+
+        return 'nonce="' . $response->CSP->getStyleNonce() . '"';
+    }
+}
+
+if (! function_exists('csp_script_nonce')) {
+    /**
+     * Generates a nonce attribute for script tag.
+     */
+    function csp_script_nonce(): string
+    {
+        /** @var Response $response */
+        $response = Services::response();
+
+        if (! $response->CSP->enabled()) {
+            return '';
+        }
+
+        return 'nonce="' . $response->CSP->getScriptNonce() . '"';
+    }
+}
+
 if (! function_exists('db_connect')) {
     /**
      * Grabs a database connection and returns it to the user.
diff --git a/tests/system/CommonFunctionsTest.php b/tests/system/CommonFunctionsTest.php
index 3916a1ab785f..f55f55fb45b4 100644
--- a/tests/system/CommonFunctionsTest.php
+++ b/tests/system/CommonFunctionsTest.php
@@ -549,4 +549,14 @@ public function testTraceWithCSP()
         $this->expectOutputRegex('/<style {csp-style-nonce} class="kint-rich-style">/u');
         trace();
     }
+
+    public function testCspStyleNonce()
+    {
+        $this->assertStringContainsString('nonce="', csp_style_nonce());
+    }
+
+    public function testCspScriptNonce()
+    {
+        $this->assertStringContainsString('nonce="', csp_script_nonce());
+    }
 }

From a08d7e587550db82307585a18c25cc559c3a5da0 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Fri, 31 Dec 2021 13:53:05 +0900
Subject: [PATCH 06/24] refactor: use csp_script_nonce() and csp_script_nonce()
 in Debug Toolbar

---
 system/Debug/Toolbar.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/system/Debug/Toolbar.php b/system/Debug/Toolbar.php
index 8e100fe25a6b..bf502f1f1563 100644
--- a/system/Debug/Toolbar.php
+++ b/system/Debug/Toolbar.php
@@ -402,11 +402,11 @@ public function prepare(?RequestInterface $request = null, ?ResponseInterface $r
             $kintScript         = substr($kintScript, 0, strpos($kintScript, '</style>') + 8);
 
             $script = PHP_EOL
-                . '<script type="text/javascript" {csp-script-nonce} id="debugbar_loader" '
+                . '<script type="text/javascript" ' . csp_script_nonce() . ' id="debugbar_loader" '
                 . 'data-time="' . $time . '" '
                 . 'src="' . site_url() . '?debugbar"></script>'
-                . '<script type="text/javascript" {csp-script-nonce} id="debugbar_dynamic_script"></script>'
-                . '<style type="text/css" {csp-style-nonce} id="debugbar_dynamic_style"></style>'
+                . '<script type="text/javascript" ' . csp_script_nonce() . ' id="debugbar_dynamic_script"></script>'
+                . '<style type="text/css" ' . csp_style_nonce() . ' id="debugbar_dynamic_style"></style>'
                 . $kintScript
                 . PHP_EOL;
 

From e7b0727e8d42833bbee5a38476a76ade10bd4f5b Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Fri, 31 Dec 2021 13:55:42 +0900
Subject: [PATCH 07/24] config: fix incorrect property name

---
 env | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/env b/env
index 7b52d6690441..e11bb08e0493 100644
--- a/env
+++ b/env
@@ -60,7 +60,7 @@
 # contentsecuritypolicy.scriptSrc = 'self'
 # contentsecuritypolicy.styleSrc = 'self'
 # contentsecuritypolicy.imageSrc = 'self'
-# contentsecuritypolicy.base_uri = null
+# contentsecuritypolicy.baseURI = null
 # contentsecuritypolicy.childSrc = null
 # contentsecuritypolicy.connectSrc = 'self'
 # contentsecuritypolicy.fontSrc = null

From d548118c264dedc1dde45b6ca0afcd550462b49f Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Fri, 31 Dec 2021 14:01:36 +0900
Subject: [PATCH 08/24] feat: add config for disabling to replace nonce tag
 automatically

---
 app/Config/ContentSecurityPolicy.php          |  7 ++++
 env                                           |  1 +
 system/HTTP/ContentSecurityPolicy.php         | 11 +++++++
 .../system/HTTP/ContentSecurityPolicyTest.php | 32 +++++++++++++++++++
 4 files changed, 51 insertions(+)

diff --git a/app/Config/ContentSecurityPolicy.php b/app/Config/ContentSecurityPolicy.php
index b4450d5ed422..aa18ba9f1060 100644
--- a/app/Config/ContentSecurityPolicy.php
+++ b/app/Config/ContentSecurityPolicy.php
@@ -178,4 +178,11 @@ class ContentSecurityPolicy extends BaseConfig
      * @var string
      */
     public $scriptNonceTag = '{csp-script-nonce}';
+
+    /**
+     * Replace nonce tag automatically
+     *
+     * @var bool
+     */
+    public $autoNonce = true;
 }
diff --git a/env b/env
index e11bb08e0493..83def018081f 100644
--- a/env
+++ b/env
@@ -75,6 +75,7 @@
 # contentsecuritypolicy.upgradeInsecureRequests = false
 # contentsecuritypolicy.styleNonceTag = '{csp-style-nonce}'
 # contentsecuritypolicy.scriptNonceTag = '{csp-script-nonce}'
+# contentsecuritypolicy.autoNonce = true
 
 #--------------------------------------------------------------------
 # COOKIE
diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
index fb70c613549a..341411013d0e 100644
--- a/system/HTTP/ContentSecurityPolicy.php
+++ b/system/HTTP/ContentSecurityPolicy.php
@@ -204,6 +204,13 @@ class ContentSecurityPolicy
      */
     protected $scriptNonceTag = '{csp-script-nonce}';
 
+    /**
+     * Replace nonce tag automatically
+     *
+     * @var bool
+     */
+    protected $autoNonce = true;
+
     /**
      * An array of header info since we have
      * to build ourself before passing to Response.
@@ -288,6 +295,10 @@ public function getScriptNonce(): string
      */
     public function finalize(ResponseInterface &$response)
     {
+        if ($this->autoNonce === false) {
+            return;
+        }
+
         $this->generateNonces($response);
         $this->buildHeaders($response);
     }
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
index 5525309d7a2f..fa95d9ba9fb6 100644
--- a/tests/system/HTTP/ContentSecurityPolicyTest.php
+++ b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -480,6 +480,38 @@ public function testBodyScriptNonceCustomScriptTag()
         $this->assertStringContainsString('nonce=', $response->getBody());
     }
 
+    public function testBodyScriptNonceDisableAutoNonce()
+    {
+        $config            = new CSPConfig();
+        $config->autoNonce = false;
+        $csp               = new ContentSecurityPolicy($config);
+
+        $response = new Response(new App());
+        $response->pretend(true);
+        $body = 'Blah blah {csp-script-nonce} blah blah';
+        $response->setBody($body);
+
+        $csp->finalize($response);
+
+        $this->assertStringContainsString('{csp-script-nonce}', $response->getBody());
+    }
+
+    public function testBodyStyleNonceDisableAutoNonce()
+    {
+        $config            = new CSPConfig();
+        $config->autoNonce = false;
+        $csp               = new ContentSecurityPolicy($config);
+
+        $response = new Response(new App());
+        $response->pretend(true);
+        $body = 'Blah blah {csp-style-nonce} blah blah';
+        $response->setBody($body);
+
+        $csp->finalize($response);
+
+        $this->assertStringContainsString('{csp-style-nonce}', $response->getBody());
+    }
+
     /**
      * @runInSeparateProcess
      * @preserveGlobalState  disabled

From bc52fad6678b3600e2d62139a032dbd5a2482192 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Fri, 31 Dec 2021 14:13:57 +0900
Subject: [PATCH 09/24] refactor: use csp_script_nonce() and csp_script_nonce()
 in Kint

---
 system/Debug/Kint/RichRenderer.php   | 4 ++--
 tests/system/CommonFunctionsTest.php | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/system/Debug/Kint/RichRenderer.php b/system/Debug/Kint/RichRenderer.php
index 756cac75e144..8210fb21e1c2 100644
--- a/system/Debug/Kint/RichRenderer.php
+++ b/system/Debug/Kint/RichRenderer.php
@@ -36,11 +36,11 @@ public function preRender()
 
                 switch ($type) {
                     case 'script':
-                        $output .= '<script {csp-script-nonce} class="kint-rich-script">' . $contents . '</script>';
+                        $output .= '<script ' . csp_script_nonce() . ' class="kint-rich-script">' . $contents . '</script>';
                         break;
 
                     case 'style':
-                        $output .= '<style {csp-style-nonce} class="kint-rich-style">' . $contents . '</style>';
+                        $output .= '<style ' . csp_style_nonce() . ' class="kint-rich-style">' . $contents . '</style>';
                         break;
 
                     default:
diff --git a/tests/system/CommonFunctionsTest.php b/tests/system/CommonFunctionsTest.php
index f55f55fb45b4..51eb7f94938f 100644
--- a/tests/system/CommonFunctionsTest.php
+++ b/tests/system/CommonFunctionsTest.php
@@ -527,7 +527,7 @@ public function testDWithCSP()
         $config->CSPEnabled  = true;
         Kint::$cli_detection = false;
 
-        $this->expectOutputRegex('/<script {csp-script-nonce} class="kint-rich-script">/u');
+        $this->expectOutputRegex('/<script nonce="[0-9a-z]{24}" class="kint-rich-script">/u');
         d('string');
 
         // Restore settings
@@ -546,7 +546,7 @@ public function testTraceWithCSP()
         $config->CSPEnabled  = true;
         Kint::$cli_detection = false;
 
-        $this->expectOutputRegex('/<style {csp-style-nonce} class="kint-rich-style">/u');
+        $this->expectOutputRegex('/<style nonce="[0-9a-z]{24}" class="kint-rich-style">/u');
         trace();
     }
 

From 9b1f5131c65469b57bd57b16284072e36c2fad0f Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Fri, 31 Dec 2021 14:52:44 +0900
Subject: [PATCH 10/24] feat: add Services::contentsecuritypolicy()

---
 system/Config/BaseService.php         |  3 +++
 system/Config/Services.php            | 18 ++++++++++++++++++
 system/HTTP/ContentSecurityPolicy.php |  3 +++
 3 files changed, 24 insertions(+)

diff --git a/system/Config/BaseService.php b/system/Config/BaseService.php
index b50617d7ed83..64c2948df3c6 100644
--- a/system/Config/BaseService.php
+++ b/system/Config/BaseService.php
@@ -28,6 +28,7 @@
 use CodeIgniter\Format\Format;
 use CodeIgniter\Honeypot\Honeypot;
 use CodeIgniter\HTTP\CLIRequest;
+use CodeIgniter\HTTP\ContentSecurityPolicy;
 use CodeIgniter\HTTP\CURLRequest;
 use CodeIgniter\HTTP\IncomingRequest;
 use CodeIgniter\HTTP\Negotiate;
@@ -56,6 +57,7 @@
 use Config\App;
 use Config\Autoload;
 use Config\Cache;
+use Config\ContentSecurityPolicy as CSPConfig;
 use Config\Encryption;
 use Config\Exceptions as ConfigExceptions;
 use Config\Filters as ConfigFilters;
@@ -94,6 +96,7 @@
  * @method static CLIRequest clirequest(App $config = null, $getShared = true)
  * @method static CodeIgniter codeigniter(App $config = null, $getShared = true)
  * @method static Commands commands($getShared = true)
+ * @method static ContentSecurityPolicy contentsecuritypolicy(CSPConfig $config = null, $getShared = true)
  * @method static CURLRequest curlrequest($options = [], ResponseInterface $response = null, App $config = null, $getShared = true)
  * @method static Email email($config = null, $getShared = true)
  * @method static EncrypterInterface encrypter(Encryption $config = null, $getShared = false)
diff --git a/system/Config/Services.php b/system/Config/Services.php
index b72fad36eec7..dcad21799681 100644
--- a/system/Config/Services.php
+++ b/system/Config/Services.php
@@ -28,6 +28,7 @@
 use CodeIgniter\Format\Format;
 use CodeIgniter\Honeypot\Honeypot;
 use CodeIgniter\HTTP\CLIRequest;
+use CodeIgniter\HTTP\ContentSecurityPolicy;
 use CodeIgniter\HTTP\CURLRequest;
 use CodeIgniter\HTTP\IncomingRequest;
 use CodeIgniter\HTTP\Negotiate;
@@ -56,6 +57,7 @@
 use CodeIgniter\View\View;
 use Config\App;
 use Config\Cache;
+use Config\ContentSecurityPolicy as CSPConfig;
 use Config\Email as EmailConfig;
 use Config\Encryption as EncryptionConfig;
 use Config\Exceptions as ExceptionsConfig;
@@ -153,6 +155,22 @@ public static function commands(bool $getShared = true)
         return new Commands();
     }
 
+    /**
+     * Content Security Policy
+     *
+     * @return ContentSecurityPolicy
+     */
+    public static function contentsecuritypolicy(?CSPConfig $config = null, bool $getShared = true)
+    {
+        if ($getShared) {
+            return static::getSharedInstance('contentsecuritypolicy', $config);
+        }
+
+        $config = $config ?? config('ContentSecurityPolicy');
+
+        return new ContentSecurityPolicy($config);
+    }
+
     /**
      * The CURL Request class acts as a simple HTTP client for interacting
      * with other servers, typically through APIs.
diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
index 341411013d0e..dbfeb2ababc4 100644
--- a/system/HTTP/ContentSecurityPolicy.php
+++ b/system/HTTP/ContentSecurityPolicy.php
@@ -241,6 +241,9 @@ class ContentSecurityPolicy
      */
     public function __construct(ContentSecurityPolicyConfig $config)
     {
+        $appConfig        = config('App');
+        $this->CSPEnabled = $appConfig->CSPEnabled;
+
         foreach (get_object_vars($config) as $setting => $value) {
             if (property_exists($this, $setting)) {
                 $this->{$setting} = $value;

From 9ece590bd3dfa0fa96f02447c13a63b5f46ee7a7 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Fri, 31 Dec 2021 14:54:38 +0900
Subject: [PATCH 11/24] refactor: use Services::contentsecuritypolicy()

---
 system/Common.php                             | 14 +++++------
 system/HTTP/ContentSecurityPolicy.php         |  8 -------
 system/HTTP/Response.php                      |  7 ++----
 tests/system/CommonFunctionsTest.php          | 24 +++++++++++++++----
 .../system/HTTP/ContentSecurityPolicyTest.php |  5 +++-
 tests/system/HTTP/ResponseSendTest.php        |  5 +++-
 6 files changed, 36 insertions(+), 27 deletions(-)

diff --git a/system/Common.php b/system/Common.php
index 80a7dc013944..7db4474f9c0d 100644
--- a/system/Common.php
+++ b/system/Common.php
@@ -295,14 +295,13 @@ function csrf_meta(?string $id = null): string
      */
     function csp_style_nonce(): string
     {
-        /** @var Response $response */
-        $response = Services::response();
+        $csp = Services::contentsecuritypolicy();
 
-        if (! $response->CSP->enabled()) {
+        if (! $csp->enabled()) {
             return '';
         }
 
-        return 'nonce="' . $response->CSP->getStyleNonce() . '"';
+        return 'nonce="' . $csp->getStyleNonce() . '"';
     }
 }
 
@@ -312,14 +311,13 @@ function csp_style_nonce(): string
      */
     function csp_script_nonce(): string
     {
-        /** @var Response $response */
-        $response = Services::response();
+        $csp = Services::contentsecuritypolicy();
 
-        if (! $response->CSP->enabled()) {
+        if (! $csp->enabled()) {
             return '';
         }
 
-        return 'nonce="' . $response->CSP->getScriptNonce() . '"';
+        return 'nonce="' . $csp->getScriptNonce() . '"';
     }
 }
 
diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
index dbfeb2ababc4..00fdb5f8ba0d 100644
--- a/system/HTTP/ContentSecurityPolicy.php
+++ b/system/HTTP/ContentSecurityPolicy.php
@@ -251,14 +251,6 @@ public function __construct(ContentSecurityPolicyConfig $config)
         }
     }
 
-    /**
-     * Enable CSP
-     */
-    public function enable(): void
-    {
-        $this->CSPEnabled = true;
-    }
-
     /**
      * Whether Content Security Policy is being enforced.
      */
diff --git a/system/HTTP/Response.php b/system/HTTP/Response.php
index f25962d6af37..015bb658a275 100644
--- a/system/HTTP/Response.php
+++ b/system/HTTP/Response.php
@@ -16,7 +16,7 @@
 use CodeIgniter\Cookie\Exceptions\CookieException;
 use CodeIgniter\HTTP\Exceptions\HTTPException;
 use Config\App;
-use Config\ContentSecurityPolicy as CSPConfig;
+use Config\Services;
 
 /**
  * Representation of an outgoing, getServer-side response.
@@ -152,12 +152,9 @@ public function __construct($config)
         $this->noCache();
 
         // We need CSP object even if not enabled to avoid calls to non existing methods
-        $this->CSP = new ContentSecurityPolicy(new CSPConfig());
+        $this->CSP = Services::contentsecuritypolicy();
 
         $this->CSPEnabled = $config->CSPEnabled;
-        if ($config->CSPEnabled) {
-            $this->CSP->enable();
-        }
 
         // DEPRECATED COOKIE MANAGEMENT
 
diff --git a/tests/system/CommonFunctionsTest.php b/tests/system/CommonFunctionsTest.php
index 51eb7f94938f..cf8dd9c89aa4 100644
--- a/tests/system/CommonFunctionsTest.php
+++ b/tests/system/CommonFunctionsTest.php
@@ -519,9 +519,11 @@ public function testIsCli()
 
     public function testDWithCSP()
     {
+        $this->resetServices();
+        $this->resetFactories();
+
         /** @var App $config */
-        $config       = config(App::class);
-        $CSPEnabled   = $config->CSPEnabled;
+        $config       = config('App');
         $cliDetection = Kint::$cli_detection;
 
         $config->CSPEnabled  = true;
@@ -531,7 +533,6 @@ public function testDWithCSP()
         d('string');
 
         // Restore settings
-        $config->CSPEnabled  = $CSPEnabled;
         Kint::$cli_detection = $cliDetection;
     }
 
@@ -541,8 +542,11 @@ public function testDWithCSP()
      */
     public function testTraceWithCSP()
     {
+        $this->resetServices();
+        $this->resetFactories();
+
         /** @var App $config */
-        $config              = config(App::class);
+        $config              = config('App');
         $config->CSPEnabled  = true;
         Kint::$cli_detection = false;
 
@@ -552,11 +556,23 @@ public function testTraceWithCSP()
 
     public function testCspStyleNonce()
     {
+        $this->resetServices();
+        $this->resetFactories();
+
+        $config             = config('App');
+        $config->CSPEnabled = true;
+
         $this->assertStringContainsString('nonce="', csp_style_nonce());
     }
 
     public function testCspScriptNonce()
     {
+        $this->resetServices();
+        $this->resetFactories();
+
+        $config             = config('App');
+        $config->CSPEnabled = true;
+
         $this->assertStringContainsString('nonce="', csp_script_nonce());
     }
 }
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
index fa95d9ba9fb6..c1c91d7b4da4 100644
--- a/tests/system/HTTP/ContentSecurityPolicyTest.php
+++ b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -28,7 +28,10 @@ final class ContentSecurityPolicyTest extends CIUnitTestCase
     // Having this method as setUp() doesn't work - can't find Config\App !?
     protected function prepare(bool $CSPEnabled = true)
     {
-        $config             = new App();
+        $this->resetServices();
+        $this->resetFactories();
+
+        $config             = config('App');
         $config->CSPEnabled = $CSPEnabled;
         $this->response     = new Response($config);
         $this->response->pretend(false);
diff --git a/tests/system/HTTP/ResponseSendTest.php b/tests/system/HTTP/ResponseSendTest.php
index 6610321040a2..eef845297182 100644
--- a/tests/system/HTTP/ResponseSendTest.php
+++ b/tests/system/HTTP/ResponseSendTest.php
@@ -79,7 +79,10 @@ public function testHeadersMissingDate()
      */
     public function testHeadersWithCSP()
     {
-        $config             = new App();
+        $this->resetFactories();
+        $this->resetServices();
+
+        $config             = config('App');
         $config->CSPEnabled = true;
         $response           = new Response($config);
         $response->pretend(false);

From 031e411449cc768d8d6ddb82cab8b6477711f7e4 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Fri, 31 Dec 2021 16:45:03 +0900
Subject: [PATCH 12/24] fix: CSP nonce header is nottt sent when CSP tag
 replacement does not happen

---
 system/HTTP/ContentSecurityPolicy.php         | 30 ++++++++-----------
 .../system/HTTP/ContentSecurityPolicyTest.php | 15 ++++++++++
 2 files changed, 27 insertions(+), 18 deletions(-)

diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
index 00fdb5f8ba0d..b7f9b066d7d8 100644
--- a/system/HTTP/ContentSecurityPolicy.php
+++ b/system/HTTP/ContentSecurityPolicy.php
@@ -249,6 +249,14 @@ public function __construct(ContentSecurityPolicyConfig $config)
                 $this->{$setting} = $value;
             }
         }
+
+        if (! is_array($this->styleSrc)) {
+            $this->styleSrc = [$this->styleSrc];
+        }
+
+        if (! is_array($this->scriptSrc)) {
+            $this->scriptSrc = [$this->scriptSrc];
+        }
     }
 
     /**
@@ -266,6 +274,7 @@ public function getStyleNonce(): string
     {
         if ($this->styleNonce === null) {
             $this->styleNonce = bin2hex(random_bytes(12));
+            $this->styleSrc[] = 'nonce-' . $this->styleNonce;
         }
 
         return $this->styleNonce;
@@ -278,6 +287,7 @@ public function getScriptNonce(): string
     {
         if ($this->scriptNonce === null) {
             $this->scriptNonce = bin2hex(random_bytes(12));
+            $this->scriptSrc[] = 'nonce-' . $this->scriptNonce;
         }
 
         return $this->scriptNonce;
@@ -661,25 +671,13 @@ protected function generateNonces(ResponseInterface &$response)
             return;
         }
 
-        if (! is_array($this->styleSrc)) {
-            $this->styleSrc = [$this->styleSrc];
-        }
-
-        if (! is_array($this->scriptSrc)) {
-            $this->scriptSrc = [$this->scriptSrc];
-        }
-
         // Replace style placeholders with nonces
         $pattern = '/' . preg_quote($this->styleNonceTag, '/') . '/';
         $body    = preg_replace_callback($pattern, function () {
             $nonce = $this->getStyleNonce();
 
             return "nonce=\"{$nonce}\"";
-        }, $body, -1, $count);
-
-        if ($count > 0) {
-            $this->styleSrc[] = 'nonce-' . $this->styleNonce;
-        }
+        }, $body);
 
         // Replace script placeholders with nonces
         $pattern = '/' . preg_quote($this->scriptNonceTag, '/') . '/';
@@ -687,11 +685,7 @@ protected function generateNonces(ResponseInterface &$response)
             $nonce = $this->getScriptNonce();
 
             return "nonce=\"{$nonce}\"";
-        }, $body, -1, $count);
-
-        if ($count > 0) {
-            $this->scriptSrc[] = 'nonce-' . $this->scriptNonce;
-        }
+        }, $body);
 
         $response->setBody($body);
     }
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
index c1c91d7b4da4..4a90d7313e38 100644
--- a/tests/system/HTTP/ContentSecurityPolicyTest.php
+++ b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -605,4 +605,19 @@ public function testGetStyleNonce()
 
         $this->assertMatchesRegularExpression('/[0-9a-z]{24}/', $nonce);
     }
+
+    /**
+     * @runInSeparateProcess
+     * @preserveGlobalState  disabled
+     */
+    public function testHeaderScriptNonceEmittedOnceGetScriptNonceCalled()
+    {
+        $this->prepare();
+
+        $this->csp->getScriptNonce();
+        $this->work();
+
+        $result = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertStringContainsString("script-src 'self' 'nonce-", $result);
+    }
 }

From 571a34c97f18c9880ac389c5982a7a3a16e5fc54 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Fri, 31 Dec 2021 19:32:47 +0900
Subject: [PATCH 13/24] test: make regex strict

---
 tests/system/HTTP/ContentSecurityPolicyTest.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
index 4a90d7313e38..e13b5954bb47 100644
--- a/tests/system/HTTP/ContentSecurityPolicyTest.php
+++ b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -594,7 +594,7 @@ public function testGetScriptNonce()
 
         $nonce = $this->csp->getScriptNonce();
 
-        $this->assertMatchesRegularExpression('/[0-9a-z]{24}/', $nonce);
+        $this->assertMatchesRegularExpression('/\A[0-9a-z]{24}\z/', $nonce);
     }
 
     public function testGetStyleNonce()
@@ -603,7 +603,7 @@ public function testGetStyleNonce()
 
         $nonce = $this->csp->getStyleNonce();
 
-        $this->assertMatchesRegularExpression('/[0-9a-z]{24}/', $nonce);
+        $this->assertMatchesRegularExpression('/\A[0-9a-z]{24}\z/', $nonce);
     }
 
     /**

From 3fde024d32ace899657c4db51067c1b379079bf7 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Tue, 4 Jan 2022 17:07:16 +0900
Subject: [PATCH 14/24] refactor: remove uneeded use statement

---
 system/Common.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/system/Common.php b/system/Common.php
index 7db4474f9c0d..979a5c07f4e1 100644
--- a/system/Common.php
+++ b/system/Common.php
@@ -21,7 +21,6 @@
 use CodeIgniter\HTTP\Exceptions\HTTPException;
 use CodeIgniter\HTTP\RedirectResponse;
 use CodeIgniter\HTTP\RequestInterface;
-use CodeIgniter\HTTP\Response;
 use CodeIgniter\HTTP\ResponseInterface;
 use CodeIgniter\HTTP\URI;
 use CodeIgniter\Model;

From c4aaa4f4b0cb6ed751ed2b8a2a8a43dd7b958cd3 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Tue, 4 Jan 2022 17:10:12 +0900
Subject: [PATCH 15/24] refactor: rename from contentsecuritypolicy() to csp()

---
 system/Common.php             | 4 ++--
 system/Config/BaseService.php | 2 +-
 system/Config/Services.php    | 4 ++--
 system/HTTP/Response.php      | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/system/Common.php b/system/Common.php
index 979a5c07f4e1..690275c4fedf 100644
--- a/system/Common.php
+++ b/system/Common.php
@@ -294,7 +294,7 @@ function csrf_meta(?string $id = null): string
      */
     function csp_style_nonce(): string
     {
-        $csp = Services::contentsecuritypolicy();
+        $csp = Services::csp();
 
         if (! $csp->enabled()) {
             return '';
@@ -310,7 +310,7 @@ function csp_style_nonce(): string
      */
     function csp_script_nonce(): string
     {
-        $csp = Services::contentsecuritypolicy();
+        $csp = Services::csp();
 
         if (! $csp->enabled()) {
             return '';
diff --git a/system/Config/BaseService.php b/system/Config/BaseService.php
index 64c2948df3c6..38bac37fdaa9 100644
--- a/system/Config/BaseService.php
+++ b/system/Config/BaseService.php
@@ -96,7 +96,7 @@
  * @method static CLIRequest clirequest(App $config = null, $getShared = true)
  * @method static CodeIgniter codeigniter(App $config = null, $getShared = true)
  * @method static Commands commands($getShared = true)
- * @method static ContentSecurityPolicy contentsecuritypolicy(CSPConfig $config = null, $getShared = true)
+ * @method static ContentSecurityPolicy csp(CSPConfig $config = null, $getShared = true)
  * @method static CURLRequest curlrequest($options = [], ResponseInterface $response = null, App $config = null, $getShared = true)
  * @method static Email email($config = null, $getShared = true)
  * @method static EncrypterInterface encrypter(Encryption $config = null, $getShared = false)
diff --git a/system/Config/Services.php b/system/Config/Services.php
index dcad21799681..3c36515be691 100644
--- a/system/Config/Services.php
+++ b/system/Config/Services.php
@@ -160,10 +160,10 @@ public static function commands(bool $getShared = true)
      *
      * @return ContentSecurityPolicy
      */
-    public static function contentsecuritypolicy(?CSPConfig $config = null, bool $getShared = true)
+    public static function csp(?CSPConfig $config = null, bool $getShared = true)
     {
         if ($getShared) {
-            return static::getSharedInstance('contentsecuritypolicy', $config);
+            return static::getSharedInstance('csp', $config);
         }
 
         $config = $config ?? config('ContentSecurityPolicy');
diff --git a/system/HTTP/Response.php b/system/HTTP/Response.php
index 015bb658a275..493c990e1eae 100644
--- a/system/HTTP/Response.php
+++ b/system/HTTP/Response.php
@@ -152,7 +152,7 @@ public function __construct($config)
         $this->noCache();
 
         // We need CSP object even if not enabled to avoid calls to non existing methods
-        $this->CSP = Services::contentsecuritypolicy();
+        $this->CSP = Services::csp();
 
         $this->CSPEnabled = $config->CSPEnabled;
 

From 4b8b118daa19bdf12b646719ece7a6a24581de48 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Tue, 4 Jan 2022 17:27:33 +0900
Subject: [PATCH 16/24] test: remove unneeded $this->resetFactories()

It is called in CIUnitTestCase::setUp() via $setUpMethods.
---
 tests/system/CommonFunctionsTest.php            | 4 ----
 tests/system/HTTP/ContentSecurityPolicyTest.php | 1 -
 2 files changed, 5 deletions(-)

diff --git a/tests/system/CommonFunctionsTest.php b/tests/system/CommonFunctionsTest.php
index cf8dd9c89aa4..8328de05271d 100644
--- a/tests/system/CommonFunctionsTest.php
+++ b/tests/system/CommonFunctionsTest.php
@@ -520,7 +520,6 @@ public function testIsCli()
     public function testDWithCSP()
     {
         $this->resetServices();
-        $this->resetFactories();
 
         /** @var App $config */
         $config       = config('App');
@@ -543,7 +542,6 @@ public function testDWithCSP()
     public function testTraceWithCSP()
     {
         $this->resetServices();
-        $this->resetFactories();
 
         /** @var App $config */
         $config              = config('App');
@@ -557,7 +555,6 @@ public function testTraceWithCSP()
     public function testCspStyleNonce()
     {
         $this->resetServices();
-        $this->resetFactories();
 
         $config             = config('App');
         $config->CSPEnabled = true;
@@ -568,7 +565,6 @@ public function testCspStyleNonce()
     public function testCspScriptNonce()
     {
         $this->resetServices();
-        $this->resetFactories();
 
         $config             = config('App');
         $config->CSPEnabled = true;
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
index e13b5954bb47..2ab6ee747d91 100644
--- a/tests/system/HTTP/ContentSecurityPolicyTest.php
+++ b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -29,7 +29,6 @@ final class ContentSecurityPolicyTest extends CIUnitTestCase
     protected function prepare(bool $CSPEnabled = true)
     {
         $this->resetServices();
-        $this->resetFactories();
 
         $config             = config('App');
         $config->CSPEnabled = $CSPEnabled;

From b1e91ddb72a2f91f7b0fe8cfd0e5c055e137a9e5 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Tue, 4 Jan 2022 18:53:37 +0900
Subject: [PATCH 17/24] feat: add csp_script_nonce and csp_style_nonce plugin
 for View Parser

---
 system/Config/View.php                 |  2 ++
 system/View/Plugins.php                | 16 ++++++++++++++++
 tests/system/View/ParserPluginTest.php | 13 +++++++++++++
 3 files changed, 31 insertions(+)

diff --git a/system/Config/View.php b/system/Config/View.php
index 5a8baeac2d6a..da4f81b1c716 100644
--- a/system/Config/View.php
+++ b/system/Config/View.php
@@ -76,6 +76,8 @@ class View extends BaseConfig
      * @var array
      */
     protected $corePlugins = [
+        'csp_script_nonce'  => '\CodeIgniter\View\Plugins::cspScriptNonce',
+        'csp_style_nonce'   => '\CodeIgniter\View\Plugins::cspStyleNonce',
         'current_url'       => '\CodeIgniter\View\Plugins::currentURL',
         'previous_url'      => '\CodeIgniter\View\Plugins::previousURL',
         'mailto'            => '\CodeIgniter\View\Plugins::mailto',
diff --git a/system/View/Plugins.php b/system/View/Plugins.php
index d0e170071a6a..b74ad96bd385 100644
--- a/system/View/Plugins.php
+++ b/system/View/Plugins.php
@@ -103,4 +103,20 @@ public static function siteURL(array $params = []): string
     {
         return site_url(...$params);
     }
+
+    /**
+     * Wrap csp_script_nonce() function to use as view plugin.
+     */
+    public static function cspScriptNonce(): string
+    {
+        return csp_script_nonce();
+    }
+
+    /**
+     * Wrap csp_style_nonce() function to use as view plugin.
+     */
+    public static function cspStyleNonce(): string
+    {
+        return csp_style_nonce();
+    }
 }
diff --git a/tests/system/View/ParserPluginTest.php b/tests/system/View/ParserPluginTest.php
index 85de3e7898fa..55e5e4ce9c75 100644
--- a/tests/system/View/ParserPluginTest.php
+++ b/tests/system/View/ParserPluginTest.php
@@ -133,4 +133,17 @@ public function setHints($output)
     {
         return preg_replace('/(<!-- DEBUG-VIEW+) (\w+) (\d+)/', '${1}', $output);
     }
+
+    public function testCspScriptNonceWithCspEnabled()
+    {
+        $config             = config('App');
+        $config->CSPEnabled = true;
+
+        $template = 'aaa {+ csp_script_nonce +} bbb';
+
+        $this->assertMatchesRegularExpression(
+            '/aaa nonce="[0-9a-z]{24}" bbb/',
+            $this->parser->renderString($template)
+        );
+    }
 }

From c472bb645d17040a31e7ea34ddd145cf3ecfe8ba Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Wed, 5 Jan 2022 15:47:01 +0900
Subject: [PATCH 18/24] docs: update user guide

---
 .../source/general/common_functions.rst       | 16 +++++++++++++
 user_guide_src/source/outgoing/response.rst   | 23 +++++++++++++++++++
 .../source/outgoing/view_parser.rst           |  4 ++++
 3 files changed, 43 insertions(+)

diff --git a/user_guide_src/source/general/common_functions.rst b/user_guide_src/source/general/common_functions.rst
index 96a16fde77b6..19fb3e454704 100755
--- a/user_guide_src/source/general/common_functions.rst
+++ b/user_guide_src/source/general/common_functions.rst
@@ -217,6 +217,22 @@ Miscellaneous Functions
 
     Returns the timezone the application has been set to display dates in.
 
+.. php:function:: csp_script_nonce ()
+
+    :returns: The CSP nonce attribute for script tag.
+    :rtype: string
+
+    Returns the nonce attribute for script tag. That is string like ``nonce="Eskdikejidojdk978Ad8jf"``.
+    See :ref:`content-security-policy`.
+
+.. php:function:: csp_style_nonce ()
+
+    :returns: The CSP nonce attribute for style tag.
+    :rtype: string
+
+    Returns the nonce attribute for style tag. That is string like ``nonce="Eskdikejidojdk978Ad8jf"``.
+    See :ref:`content-security-policy`.
+
 .. php:function:: csrf_token ()
 
     :returns: The name of the current CSRF token.
diff --git a/user_guide_src/source/outgoing/response.rst b/user_guide_src/source/outgoing/response.rst
index 2cd619dbd390..af847fd0760b 100644
--- a/user_guide_src/source/outgoing/response.rst
+++ b/user_guide_src/source/outgoing/response.rst
@@ -133,6 +133,8 @@ to the ``Cache-Control`` header. You are free to set all of the options exactly
 situation. While most of the options are applied to the ``Cache-Control`` header, it intelligently handles
 the ``etag`` and ``last-modified`` options to their appropriate header.
 
+.. _content-security-policy:
+
 Content Security Policy
 =======================
 
@@ -249,6 +251,27 @@ life, and is most secure when generated on the fly. To make this simple, you can
         . . .
     </style>
 
+.. warning:: If an attacker injects string like ``<script {csp-script-nonce}>``, it might become the real nonce attribute with this functionality. You can customize the placeholder string with the ``$scriptNonceTag`` and ``$styleNonceTag`` properties in **app/Config/ContentSecurityPolicy.php**.
+
+If you don't like this auto replacement functionality, you can turn it off with setting ``$autoNonce = false`` in **app/Config/ContentSecurityPolicy.php**.
+
+In this case, you can use the functions, ``csp_script_nonce()`` and ``csp_style_nonce()``::
+
+    // Original
+    <script <?= csp_script_nonce() ?>>
+        console.log("Script won't run as it doesn't contain a nonce attribute");
+    </script>
+
+    // Becomes
+    <script nonce="Eskdikejidojdk978Ad8jf">
+        console.log("Script won't run as it doesn't contain a nonce attribute");
+    </script>
+
+    // OR
+    <style <?= csp_style_nonce() ?>>
+        . . .
+    </style>
+
 Class Reference
 ===============
 
diff --git a/user_guide_src/source/outgoing/view_parser.rst b/user_guide_src/source/outgoing/view_parser.rst
index e182ce789b35..9aae57f1af00 100644
--- a/user_guide_src/source/outgoing/view_parser.rst
+++ b/user_guide_src/source/outgoing/view_parser.rst
@@ -530,6 +530,10 @@ lang               language string           Alias for the lang helper function.
 validation_errors  fieldname(optional)       Returns either error string for the field    {+ validation_errors +} , {+ validation_errors field="email" +}
                                              (if specified) or all validation errors.
 route              route name                Alias for the route_to helper function.      {+ route "login" +}
+csp_script_nonce                             Alias for the csp_script_nonce helper        {+ csp_script_nonce +}
+                                             function.
+csp_style_nonce                              Alias for the csp_style_nonce helper         {+ csp_style_nonce +}
+                                             function.
 ================== ========================= ============================================ ================================================================
 
 Registering a Plugin

From dee40c1220d0cbec29f36fd9a931d9858e4e7314 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Thu, 6 Jan 2022 12:56:23 +0900
Subject: [PATCH 19/24] docs: fix by proofreading

Co-authored-by: MGatner <mgatner@icloud.com>
---
 user_guide_src/source/general/common_functions.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/user_guide_src/source/general/common_functions.rst b/user_guide_src/source/general/common_functions.rst
index 19fb3e454704..b7b7143e8f53 100755
--- a/user_guide_src/source/general/common_functions.rst
+++ b/user_guide_src/source/general/common_functions.rst
@@ -222,7 +222,7 @@ Miscellaneous Functions
     :returns: The CSP nonce attribute for script tag.
     :rtype: string
 
-    Returns the nonce attribute for script tag. That is string like ``nonce="Eskdikejidojdk978Ad8jf"``.
+    Returns the nonce attribute for a script tag. For example: ``nonce="Eskdikejidojdk978Ad8jf"``.
     See :ref:`content-security-policy`.
 
 .. php:function:: csp_style_nonce ()

From ae90f8e662f0aee8b32d5e754a4531f2f3270e8e Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Thu, 6 Jan 2022 12:56:33 +0900
Subject: [PATCH 20/24] docs: fix by proofreading

Co-authored-by: MGatner <mgatner@icloud.com>
---
 user_guide_src/source/general/common_functions.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/user_guide_src/source/general/common_functions.rst b/user_guide_src/source/general/common_functions.rst
index b7b7143e8f53..c041e470e920 100755
--- a/user_guide_src/source/general/common_functions.rst
+++ b/user_guide_src/source/general/common_functions.rst
@@ -230,7 +230,7 @@ Miscellaneous Functions
     :returns: The CSP nonce attribute for style tag.
     :rtype: string
 
-    Returns the nonce attribute for style tag. That is string like ``nonce="Eskdikejidojdk978Ad8jf"``.
+    Returns the nonce attribute for a style tag. For example: ``nonce="Eskdikejidojdk978Ad8jf"``.
     See :ref:`content-security-policy`.
 
 .. php:function:: csrf_token ()

From 161be1065518cf63a3273a0a37158218a2bceaa9 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Thu, 6 Jan 2022 12:56:43 +0900
Subject: [PATCH 21/24] docs: fix by proofreading

Co-authored-by: MGatner <mgatner@icloud.com>
---
 user_guide_src/source/outgoing/response.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/user_guide_src/source/outgoing/response.rst b/user_guide_src/source/outgoing/response.rst
index af847fd0760b..b4622bd93b88 100644
--- a/user_guide_src/source/outgoing/response.rst
+++ b/user_guide_src/source/outgoing/response.rst
@@ -251,7 +251,7 @@ life, and is most secure when generated on the fly. To make this simple, you can
         . . .
     </style>
 
-.. warning:: If an attacker injects string like ``<script {csp-script-nonce}>``, it might become the real nonce attribute with this functionality. You can customize the placeholder string with the ``$scriptNonceTag`` and ``$styleNonceTag`` properties in **app/Config/ContentSecurityPolicy.php**.
+.. warning:: If an attacker injects a string like ``<script {csp-script-nonce}>``, it might become the real nonce attribute with this functionality. You can customize the placeholder string with the ``$scriptNonceTag`` and ``$styleNonceTag`` properties in **app/Config/ContentSecurityPolicy.php**.
 
 If you don't like this auto replacement functionality, you can turn it off with setting ``$autoNonce = false`` in **app/Config/ContentSecurityPolicy.php**.
 

From 1184046f671fec49c2d846988f624fc331a462f6 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Thu, 6 Jan 2022 12:58:22 +0900
Subject: [PATCH 22/24] test: use more specific assert method

---
 tests/system/CommonFunctionsTest.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/system/CommonFunctionsTest.php b/tests/system/CommonFunctionsTest.php
index 8328de05271d..15a511926d3c 100644
--- a/tests/system/CommonFunctionsTest.php
+++ b/tests/system/CommonFunctionsTest.php
@@ -559,7 +559,7 @@ public function testCspStyleNonce()
         $config             = config('App');
         $config->CSPEnabled = true;
 
-        $this->assertStringContainsString('nonce="', csp_style_nonce());
+        $this->assertStringStartsWith('nonce="', csp_style_nonce());
     }
 
     public function testCspScriptNonce()
@@ -569,6 +569,6 @@ public function testCspScriptNonce()
         $config             = config('App');
         $config->CSPEnabled = true;
 
-        $this->assertStringContainsString('nonce="', csp_script_nonce());
+        $this->assertStringStartsWith('nonce="', csp_script_nonce());
     }
 }

From f686c252c1753386c50298dde0287c76dd628c8e Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Thu, 6 Jan 2022 13:33:16 +0900
Subject: [PATCH 23/24] docs: add changelogs/v4.2.0

---
 user_guide_src/source/changelogs/index.rst  |  1 +
 user_guide_src/source/changelogs/v4.2.0.rst | 39 +++++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 user_guide_src/source/changelogs/v4.2.0.rst

diff --git a/user_guide_src/source/changelogs/index.rst b/user_guide_src/source/changelogs/index.rst
index 74e782cb3508..da5ac2994d92 100644
--- a/user_guide_src/source/changelogs/index.rst
+++ b/user_guide_src/source/changelogs/index.rst
@@ -12,6 +12,7 @@ See all the changes.
 .. toctree::
     :titlesonly:
 
+    v4.2.0
     v4.1.7
     v4.1.6
     v4.1.5
diff --git a/user_guide_src/source/changelogs/v4.2.0.rst b/user_guide_src/source/changelogs/v4.2.0.rst
new file mode 100644
index 000000000000..c4722995961a
--- /dev/null
+++ b/user_guide_src/source/changelogs/v4.2.0.rst
@@ -0,0 +1,39 @@
+Version 4.2.0
+#############
+
+Release Date: Not Released
+
+**4.2.0 release of CodeIgniter4**
+
+.. contents::
+    :local:
+    :depth: 2
+
+BREAKING
+********
+
+
+
+Enhancements
+************
+
+- Content Security Policy (CSP) enhancements
+    - Added the configs ``$scriptNonceTag`` and ``$styleNonceTag`` in  ``Config\ContentSecurityPolicy`` to customize the CSP placeholders (``{csp-script-nonce}`` and ``{csp-style-nonce}``)
+    - Added the config ``$autoNonce`` in ``Config\ContentSecurityPolicy`` to disable the CSP placeholder replacement
+    - Added the functions ``csp_script_nonce()`` and ``csp_style_nonce()`` to get nonce attributes
+    - See :ref:`content-security-policy` for details.
+
+Changes
+*******
+
+- The current version of Content Security Policy (CSP) outputs one nonce for script and one for style tags. The previous version outputted one nonce for each tag.
+
+Deprecations
+************
+
+
+
+Bugs Fixed
+**********
+
+See the repo's `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_ for a complete list of bugs fixed.

From 444da2bd39d918621ff461c17c2de7ce168287ba Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Wed, 12 Jan 2022 09:23:36 +0900
Subject: [PATCH 24/24] refactor: fix by rector

---
 system/Config/Services.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system/Config/Services.php b/system/Config/Services.php
index 3c36515be691..2d44e3ccfd78 100644
--- a/system/Config/Services.php
+++ b/system/Config/Services.php
@@ -166,7 +166,7 @@ public static function csp(?CSPConfig $config = null, bool $getShared = true)
             return static::getSharedInstance('csp', $config);
         }
 
-        $config = $config ?? config('ContentSecurityPolicy');
+        $config ??= config('ContentSecurityPolicy');
 
         return new ContentSecurityPolicy($config);
     }