feat: CSP enhancements

app/Config/ContentSecurityPolicy.php

@@ -164,4 +164,25 @@ class ContentSecurityPolicy extends BaseConfig
      * @var string|string[]|null
      */
     public $sandbox;
+
+    /**
+     * Nonce tag for style
+     *
+     * @var string
+     */
+    public $styleNonceTag = '{csp-style-nonce}';
+
+    /**
+     * Nonce tag for script
+     *
+     * @var string
+     */
+    public $scriptNonceTag = '{csp-script-nonce}';
+
+    /**
+     * Replace nonce tag automatically
+     *
+     * @var bool
+     */
+    public $autoNonce = true;
 }

env

@@ -60,7 +60,7 @@
 # contentsecuritypolicy.scriptSrc = 'self'
 # contentsecuritypolicy.styleSrc = 'self'
 # contentsecuritypolicy.imageSrc = 'self'
-# contentsecuritypolicy.base_uri = null
+# contentsecuritypolicy.baseURI = null
 # contentsecuritypolicy.childSrc = null
 # contentsecuritypolicy.connectSrc = 'self'
 # contentsecuritypolicy.fontSrc = null
@@ -73,6 +73,9 @@
 # contentsecuritypolicy.reportURI = null
 # contentsecuritypolicy.sandbox = false
 # contentsecuritypolicy.upgradeInsecureRequests = false
+# contentsecuritypolicy.styleNonceTag = '{csp-style-nonce}'
+# contentsecuritypolicy.scriptNonceTag = '{csp-script-nonce}'
+# contentsecuritypolicy.autoNonce = true
 
 #--------------------------------------------------------------------
 # COOKIE

system/Common.php

@@ -288,6 +288,38 @@ function csrf_meta(?string $id = null): string
     }
 }
 
+if (! function_exists('csp_style_nonce')) {
+    /**
+     * Generates a nonce attribute for style tag.
+     */
+    function csp_style_nonce(): string
+    {
+        $csp = Services::csp();
+
+        if (! $csp->enabled()) {
+            return '';
+        }
+
+        return 'nonce="' . $csp->getStyleNonce() . '"';
+    }
+}
+
+if (! function_exists('csp_script_nonce')) {
+    /**
+     * Generates a nonce attribute for script tag.
+     */
+    function csp_script_nonce(): string
+    {
+        $csp = Services::csp();
+
+        if (! $csp->enabled()) {
+            return '';
+        }
+
+        return 'nonce="' . $csp->getScriptNonce() . '"';
+    }
+}
+
 if (! function_exists('db_connect')) {
     /**
      * Grabs a database connection and returns it to the user.

system/Config/BaseService.php

@@ -28,6 +28,7 @@
 use CodeIgniter\Format\Format;
 use CodeIgniter\Honeypot\Honeypot;
 use CodeIgniter\HTTP\CLIRequest;
+use CodeIgniter\HTTP\ContentSecurityPolicy;
 use CodeIgniter\HTTP\CURLRequest;
 use CodeIgniter\HTTP\IncomingRequest;
 use CodeIgniter\HTTP\Negotiate;
@@ -56,6 +57,7 @@
 use Config\App;
 use Config\Autoload;
 use Config\Cache;
+use Config\ContentSecurityPolicy as CSPConfig;
 use Config\Encryption;
 use Config\Exceptions as ConfigExceptions;
 use Config\Filters as ConfigFilters;
@@ -94,6 +96,7 @@
  * @method static CLIRequest clirequest(App $config = null, $getShared = true)
  * @method static CodeIgniter codeigniter(App $config = null, $getShared = true)
  * @method static Commands commands($getShared = true)
+ * @method static ContentSecurityPolicy csp(CSPConfig $config = null, $getShared = true)
  * @method static CURLRequest curlrequest($options = [], ResponseInterface $response = null, App $config = null, $getShared = true)
  * @method static Email email($config = null, $getShared = true)
  * @method static EncrypterInterface encrypter(Encryption $config = null, $getShared = false)

system/Config/Services.php

@@ -28,6 +28,7 @@
 use CodeIgniter\Format\Format;
 use CodeIgniter\Honeypot\Honeypot;
 use CodeIgniter\HTTP\CLIRequest;
+use CodeIgniter\HTTP\ContentSecurityPolicy;
 use CodeIgniter\HTTP\CURLRequest;
 use CodeIgniter\HTTP\IncomingRequest;
 use CodeIgniter\HTTP\Negotiate;
@@ -56,6 +57,7 @@
 use CodeIgniter\View\View;
 use Config\App;
 use Config\Cache;
+use Config\ContentSecurityPolicy as CSPConfig;
 use Config\Email as EmailConfig;
 use Config\Encryption as EncryptionConfig;
 use Config\Exceptions as ExceptionsConfig;
@@ -153,6 +155,22 @@ public static function commands(bool $getShared = true)
         return new Commands();
     }
 
+    /**
+     * Content Security Policy
+     *
+     * @return ContentSecurityPolicy
+     */
+    public static function csp(?CSPConfig $config = null, bool $getShared = true)
+    {
+        if ($getShared) {
+            return static::getSharedInstance('csp', $config);
+        }
+
+        $config ??= config('ContentSecurityPolicy');
+
+        return new ContentSecurityPolicy($config);
+    }
+
     /**
      * The CURL Request class acts as a simple HTTP client for interacting
      * with other servers, typically through APIs.

system/Config/View.php

@@ -76,6 +76,8 @@ class View extends BaseConfig
      * @var array
      */
     protected $corePlugins = [
+        'csp_script_nonce'  => '\CodeIgniter\View\Plugins::cspScriptNonce',
+        'csp_style_nonce'   => '\CodeIgniter\View\Plugins::cspStyleNonce',
         'current_url'       => '\CodeIgniter\View\Plugins::currentURL',
         'previous_url'      => '\CodeIgniter\View\Plugins::previousURL',
         'mailto'            => '\CodeIgniter\View\Plugins::mailto',

system/Debug/Kint/RichRenderer.php

@@ -36,11 +36,11 @@ public function preRender()
 
                 switch ($type) {
                     case 'script':
-                        $output .= '<script {csp-script-nonce} class="kint-rich-script">' . $contents . '</script>';
+                        $output .= '<script ' . csp_script_nonce() . ' class="kint-rich-script">' . $contents . '</script>';
                         break;
 
                     case 'style':
-                        $output .= '<style {csp-style-nonce} class="kint-rich-style">' . $contents . '</style>';
+                        $output .= '<style ' . csp_style_nonce() . ' class="kint-rich-style">' . $contents . '</style>';
                         break;
 
                     default:

system/Debug/Toolbar.php

@@ -402,11 +402,11 @@ public function prepare(?RequestInterface $request = null, ?ResponseInterface $r
             $kintScript         = substr($kintScript, 0, strpos($kintScript, '</style>') + 8);
 
             $script = PHP_EOL
-                . '<script type="text/javascript" {csp-script-nonce} id="debugbar_loader" '
+                . '<script type="text/javascript" ' . csp_script_nonce() . ' id="debugbar_loader" '
                 . 'data-time="' . $time . '" '
                 . 'src="' . site_url() . '?debugbar"></script>'
-                . '<script type="text/javascript" {csp-script-nonce} id="debugbar_dynamic_script"></script>'
-                . '<style type="text/css" {csp-style-nonce} id="debugbar_dynamic_style"></style>'
+                . '<script type="text/javascript" ' . csp_script_nonce() . ' id="debugbar_dynamic_script"></script>'
+                . '<style type="text/css" ' . csp_style_nonce() . ' id="debugbar_dynamic_style"></style>'
                 . $kintScript
                 . PHP_EOL;
 

system/HTTP/ContentSecurityPolicy.php

@@ -176,6 +176,41 @@ class ContentSecurityPolicy
      */
     protected $nonces = [];
 
+    /**
+     * Nonce for style
+     *
+     * @var string
+     */
+    protected $styleNonce;
+
+    /**
+     * Nonce for script
+     *
+     * @var string
+     */
+    protected $scriptNonce;
+
+    /**
+     * Nonce tag for style
+     *
+     * @var string
+     */
+    protected $styleNonceTag = '{csp-style-nonce}';
+
+    /**
+     * Nonce tag for script
+     *
+     * @var string
+     */
+    protected $scriptNonceTag = '{csp-script-nonce}';
+
+    /**
+     * Replace nonce tag automatically
+     *
+     * @var bool
+     */
+    protected $autoNonce = true;
+
     /**
      * An array of header info since we have
      * to build ourself before passing to Response.
@@ -192,18 +227,70 @@ class ContentSecurityPolicy
      */
     protected $reportOnlyHeaders = [];
 
+    /**
+     * Whether Content Security Policy is being enforced.
+     *
+     * @var bool
+     */
+    protected $CSPEnabled = false;
+
     /**
      * Constructor.
      *
      * Stores our default values from the Config file.
      */
     public function __construct(ContentSecurityPolicyConfig $config)
     {
+        $appConfig        = config('App');
+        $this->CSPEnabled = $appConfig->CSPEnabled;
+
         foreach (get_object_vars($config) as $setting => $value) {
             if (property_exists($this, $setting)) {
                 $this->{$setting} = $value;
             }
         }
+
+        if (! is_array($this->styleSrc)) {
+            $this->styleSrc = [$this->styleSrc];
+        }
+
+        if (! is_array($this->scriptSrc)) {
+            $this->scriptSrc = [$this->scriptSrc];
+        }
+    }
+
+    /**
+     * Whether Content Security Policy is being enforced.
+     */
+    public function enabled(): bool
+    {
+        return $this->CSPEnabled;
+    }
+
+    /**
+     * Get the nonce for the style tag.
+     */
+    public function getStyleNonce(): string
+    {
+        if ($this->styleNonce === null) {
+            $this->styleNonce = bin2hex(random_bytes(12));
+            $this->styleSrc[] = 'nonce-' . $this->styleNonce;
+        }
+
+        return $this->styleNonce;
+    }
+
+    /**
+     * Get the nonce for the script tag.
+     */
+    public function getScriptNonce(): string
+    {
+        if ($this->scriptNonce === null) {
+            $this->scriptNonce = bin2hex(random_bytes(12));
+            $this->scriptSrc[] = 'nonce-' . $this->scriptNonce;
+        }
+
+        return $this->scriptNonce;
     }
 
     /**
@@ -213,6 +300,10 @@ public function __construct(ContentSecurityPolicyConfig $config)
      */
     public function finalize(ResponseInterface &$response)
     {
+        if ($this->autoNonce === false) {
+            return;
+        }
+
         $this->generateNonces($response);
         $this->buildHeaders($response);
     }
@@ -580,28 +671,18 @@ protected function generateNonces(ResponseInterface &$response)
             return;
         }
 
-        if (! is_array($this->styleSrc)) {
-            $this->styleSrc = [$this->styleSrc];
-        }
-
-        if (! is_array($this->scriptSrc)) {
-            $this->scriptSrc = [$this->scriptSrc];
-        }
-
         // Replace style placeholders with nonces
-        $body = preg_replace_callback('/{csp-style-nonce}/', function () {
-            $nonce = bin2hex(random_bytes(12));
-
-            $this->styleSrc[] = 'nonce-' . $nonce;
+        $pattern = '/' . preg_quote($this->styleNonceTag, '/') . '/';
+        $body    = preg_replace_callback($pattern, function () {
+            $nonce = $this->getStyleNonce();
 
             return "nonce=\"{$nonce}\"";
         }, $body);
 
         // Replace script placeholders with nonces
-        $body = preg_replace_callback('/{csp-script-nonce}/', function () {
-            $nonce = bin2hex(random_bytes(12));
-
-            $this->scriptSrc[] = 'nonce-' . $nonce;
+        $pattern = '/' . preg_quote($this->scriptNonceTag, '/') . '/';
+        $body    = preg_replace_callback($pattern, function () {
+            $nonce = $this->getScriptNonce();
 
             return "nonce=\"{$nonce}\"";
         }, $body);

system/HTTP/Response.php

@@ -16,7 +16,7 @@
 use CodeIgniter\Cookie\Exceptions\CookieException;
 use CodeIgniter\HTTP\Exceptions\HTTPException;
 use Config\App;
-use Config\ContentSecurityPolicy as CSPConfig;
+use Config\Services;
 
 /**
  * Representation of an outgoing, getServer-side response.
@@ -152,7 +152,7 @@ public function __construct($config)
         $this->noCache();
 
         // We need CSP object even if not enabled to avoid calls to non existing methods
-        $this->CSP = new ContentSecurityPolicy(new CSPConfig());
+        $this->CSP = Services::csp();
 
         $this->CSPEnabled = $config->CSPEnabled;
 

system/HTTP/ResponseTrait.php

@@ -38,6 +38,8 @@ trait ResponseTrait
      * Whether Content Security Policy is being enforced.
      *
      * @var bool
+     *
+     * @deprecated Use $this->CSP->enabled() instead.
      */
     protected $CSPEnabled = false;
 
@@ -433,7 +435,7 @@ public function send()
     {
         // If we're enforcing a Content Security Policy,
         // we need to give it a chance to build out it's headers.
-        if ($this->CSPEnabled === true) {
+        if ($this->CSP->enabled()) {
             $this->CSP->finalize($this);
         } else {
             $this->body = str_replace(['{csp-style-nonce}', '{csp-script-nonce}'], '', $this->body ?? '');