PHP Version
8.5
CodeIgniter4 Version
4.7.2
CodeIgniter4 Installation Method
Composer (using codeigniter4/appstarter)
Which operating systems have you tested for this bug?
Linux
Which server did you use?
FrankenPHP Worker Mode
Environment
development
Database
MariaDB 11.8.5
What happened?
When CSP is enabled and the Debug Toolbar/Kint output is used in worker mode, the browser can report CSP violations for Kint's inline script/style assets after subsequent requests.
Example browser console output:
Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: “script-src 'self' 'nonce-...'”.
Content-Security-Policy: The page’s settings blocked an inline style (style-src-elem) from being applied because it violates the following directive: “style-src 'self' 'nonce-...'”.
Steps to Reproduce
- Enable CSP.
- Run the app with FrankenPHP worker mode.
- Enable debug mode / Debug Toolbar.
- Visit a page that renders Kint/Debug Toolbar output across multiple worker-handled requests.
- Observe CSP violations for Kint inline assets.
Expected Output
Kint inline script and style assets should use the current request's CSP nonces in worker mode.
Anything else?
Kint stores renderer CSP nonces and pre-render state in static properties. In normal PHP execution this state is discarded after each request, but in worker mode it persists. CodeIgniter::resetForWorkerMode() already resets request-specific framework state, so it should also reset Kint's request-specific static renderer state.
PHP Version
8.5
CodeIgniter4 Version
4.7.2
CodeIgniter4 Installation Method
Composer (using
codeigniter4/appstarter)Which operating systems have you tested for this bug?
Linux
Which server did you use?
FrankenPHP Worker Mode
Environment
development
Database
MariaDB 11.8.5
What happened?
When CSP is enabled and the Debug Toolbar/Kint output is used in worker mode, the browser can report CSP violations for Kint's inline script/style assets after subsequent requests.
Example browser console output:
Steps to Reproduce
Expected Output
Kint inline script and style assets should use the current request's CSP nonces in worker mode.
Anything else?
Kint stores renderer CSP nonces and pre-render state in static properties. In normal PHP execution this state is discarded after each request, but in worker mode it persists.
CodeIgniter::resetForWorkerMode()already resets request-specific framework state, so it should also reset Kint's request-specific static renderer state.