fix: DebugBar block by CSP #8411
Conversation
YapsBridging
changed the title
kenjis
added
the
bug
|
Thank you @michalsn for the explanation, |
|
We don't use merge commits in PR branch. |
| @@ -309,7 +331,8 @@ | |||
|
|
|||
| <!-- SCRIPTS --> | |||
|
|
|||
| <script> | |||
| <script {csp-script-nonce}> | |||
There was a problem hiding this comment.
| <script {csp-script-nonce}> | |
| <script <?= csp_script_nonce() ?>> |
There was a problem hiding this comment.
thanks @kenjis , but why dont use {csp-script-nonce} ?
like line 12 welcome_message.php, use {csp-style-nonce}
There was a problem hiding this comment.
Okay, you are correct. The line 12 uses <style {csp-style-nonce}>.
So using it here is okay.
I personally think we don't need to use {csp-style-nonce} if we can use the csp_script_nonce() function. It is a CI4 global function and we can always use it in PHP scripts.
There was a problem hiding this comment.
i think so too..
if csp is enable ,it must following change the placeholder tagNonce , cause If not change and if an attacker injects a string like <script {csp-script-nonce}> it might become the real nonce attribute with functionality.
https://www.codeigniter.com/user_guide/outgoing/csp.html
so the best we can use csp_script_nonce()
|
Please sign all commits. |
thanks @kenjis , This is my first time making a PR, I have read the link above, but I don't understand how to fix it, can you help me and sorry my bad english. |
|
@YapsBridging Welcome to CodeIgniter4! First, I recommend you set up your git to sign all commits (in this repository).
See also https://github.com/codeigniter4/CodeIgniter4/blob/develop/contributing/signing.md |
|
Set upstream repository: Fetch the latest upstream: Rebase your PR branch: Force push: |
thank @kenjis so can i create a new PR with new Branch and close/delete this one? |
|
Oh, you don't use git. Creating a new PR is no problem! But if you could use git, you can change your commits easily without creating new PRs. |
thanks @kenjis , of course i want, i'm glad ,if u want to help me to, basically i use git with command prompt but just standard command pull, push ,commit create branch,switch, check log,etc,, one of the problems is when i try to signing to all old commit with git rebase -i --root --exec 'git commit --amend --no-edit --no-verify -S' its also overwrites other people's commits with my signature maybe because of the merge.
LoL.. |
|
You did not push your local branch to the remote branch in GitHub. |
|
Or you can clone your repository in GitHub again. |
|
I recommend:
and if you set it, If you follow the instruction, the commit log would be following: |
|
@kenjis , Ok I'll try it |
|
greate !..
one step again
|
|
You did The error on push seems an issue about your token permission. I use SSH auth, so I have never seen that error. |
|
hi @kenjis , I have completed the permission token permission, now i get message can u tell me how to fix it ? |
|
It shows someone (probably you?) added commit(s) that is not included in your local branch to the remote branch on GitHub. If you are sure the local branch is no problem, try: |
|
@YapsBridging Can't you push to your PR branch? |
@kenjis , I thought I had completed the token permission. but apparently not, I need some more time to push again..., maybe with a new branch, I'm also afraid of lots of conflicts when I push using the same branch |
|
The steps in #8411 (comment) did not work? Or pushing as a new branch and creating a new PR would be fine. |
I haven't tried it yet, |
|
I don't understand the conflicts you are afraid of. |
ow, i dont know about that,,,thanks @kenjis , i will try push again |
admin/css/debug-toolbar/toolbar.scss
Outdated
| #ci-database.debug-bar-dblock, | ||
| #ci-files.debug-bar-dblock, | ||
| #ci-routes.debug-bar-dblock, | ||
| #ci-events.debug-bar-dblock, | ||
| #ci-history.debug-bar-dblock, | ||
| #ci-vars.debug-bar-dblock, | ||
| #ci-config.debug-bar-dblock, | ||
| #ci-timeline.debug-bar-dblock { |
There was a problem hiding this comment.
I believe this can be simplified to one CSS class, .debug-bar-dblock, instead of individually showing all uses in #ci-* ids. If there would be a new id, say #ci-dump, it would need to be added here again.
There was a problem hiding this comment.
You're right..thanks @paulbalandan
app/Views/welcome_message.php
Outdated
| @@ -150,6 +150,26 @@ | |||
| .further h2:first-of-type { | |||
| padding-top: 0; | |||
| } | |||
| .f1 { | |||
|
macOS and Firefox. Before: After: |
|
This is great, but there is one little issue if only one case exist... while having for example I always get redirected to "homepage" using this new debugbar. i think this happened before but without the CSP Fix while clicking on them nothing happened... The fix is as following remove the href="#" from the button links <a href="#" data-toggle="datatable" data-table="<?= strtolower(str_replace(' ', '-', $heading)) ?>">
<h2><?= $heading ?></h2>
</a>
TO
<a data-toggle="datatable" data-table="<?= strtolower(str_replace(' ', '-', $heading)) ?>">
<h2><?= $heading ?></h2>
</a> |
|
What do you mean? It works with no problem with the following settings. diff --git a/app/Config/App.php b/app/Config/App.php
index 21b4df2052..aa433bf847 100644
--- a/app/Config/App.php
+++ b/app/Config/App.php
@@ -174,5 +174,5 @@ class App extends BaseConfig
* @see http://www.html5rocks.com/en/tutorials/security/content-security-policy/
* @see http://www.w3.org/TR/CSP/
*/
- public bool $CSPEnabled = false;
+ public bool $CSPEnabled = true;
}
diff --git a/app/Views/welcome_message.php b/app/Views/welcome_message.php
index 86a6e39de3..88001613ca 100644
--- a/app/Views/welcome_message.php
+++ b/app/Views/welcome_message.php
@@ -2,6 +2,7 @@
<html lang="en">
<head>
<meta charset="UTF-8">
+ <base href="localhost:8080">
<title>Welcome to CodeIgniter 4!</title>
<meta name="description" content="The small framework with powerful features">
<meta name="viewport" content="width=device-width, initial-scale=1.0"> |
|
@crustamet i see, cause tag base add value to All relative link in the page ex in so the tag/button debugbar will be http://localhost:8080/# before i change javascript:void(0) to # , because javascript:void(0) was blocked by CSP |
|
but in my opinion, if you use tag base, maybe other plugins will also be affected. If you use other plugins, you don't know whether the plugin you are using contains relative links. the tag Base will add value to All relative link in the page So in my opinion using the base tag is not appropriate, it can cause unexpected problems. that's just my opinion |
It only causes problems if you have already create the project that is not using this base option and then you use it when the project is finished :)) it doesnt work like that, you use it from the beginning of the project creation so it helps you organize everything better I don't think this matters for is appropriate or not, it does not break any functionalities for me, and its better because i load all my links with this base link. And i don't think it matters in this situation either, because what ? i added a valid base meta tag and the debugbar is not working ? :))) the debugbar should work whatever you do with your code. |
|
ok @crustamet, you're right, maybe this is the reason why the debugbar button uses javascript:void(0) not # |
|
why in the world would you want to have a hashtag in your links without wanting them there ? Here in the new debugbar it does that by adding data-(*attrs) to the links so now there is no need for href="#" at this point It would be better to have them as buttons instead of links but yeah there is bug with |
|
ow..i dont know about history of the hastag.. i know the single hastag, href="#" |
|
you should really make them with buttons 😆 but a tags without href so weird because now you will loose pointer cursor xD |
|
ow i forgot...Thank you @kenjis , for teaching Git....:)) |
Cannot reproduce with |
|
Oh, I was able to reproduce with |
Description
Fixes #8405
BEFORE
AFTER
Steps to Reproduce
set CSPEnabled = true,
set ENVIRONMENT to development
Checklist: