Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A browser Content Security Policy without unsafe-inline block Yii Debug scripts #289

Open
marius-nabal opened this issue Nov 19, 2024 · 0 comments
Open

A browser Content Security Policy without unsafe-inline block Yii Debug scripts #289

marius-nabal opened this issue Nov 19, 2024 · 0 comments
Labels
status:ready for adoption Feel free to implement this issue. type:enhancement Enhancement

Comments

@marius-nabal
Copy link

What steps will reproduce the problem?

Implement a browser Content Security Policy without unsafe-inline.

What is the expected result?

The Yii debug toolbar should still appear, but it doesn't.

What do you get instead?

The browser blocks the Yii debug toolbar's inline scripts as a security policy risk and prevents them from running.

A fix would be to allow a nonce or hash to be set against the scripts.

As a workaround, we fixed by extending \yii\debug\Module, and then output buffering the renderToolbar() and using str_replace() to inject a nonce into the script/style tags.

Additional info

Q A
Version 2.1.25
PHP version 8.3
Operating system Mac: Safari, Firefox, Chrome
@samdark samdark added type:enhancement Enhancement status:ready for adoption Feel free to implement this issue. labels Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status:ready for adoption Feel free to implement this issue. type:enhancement Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@samdark @marius-nabal