Bug: Hardcoded CSP Nonce Tags in ResponseTrait #9935
Description
PHP Version
8.4, 8.3
CodeIgniter4 Version
All versions with CSP Placeholders
CodeIgniter4 Installation Method
Composer (using codeigniter4/appstarter)
Which operating systems have you tested for this bug?
macOS
Which server did you use?
apache
Environment
production, development
Database
N/A
What happened?
In ResponseTrait::send() method, when CSP is disabled, the code uses hardcoded nonce tag values to remove placeholders from the response body:
CodeIgniter4/system/HTTP/ResponseTrait.php
Lines 370 to 374 in 1b41358
However, these nonce tags are configurable in ContentSecurityPolicy:
// In system/HTTP/ContentSecurityPolicy.php
protected $styleNonceTag = '{csp-style-nonce}';
protected $scriptNonceTag = '{csp-script-nonce}';
// Users can customize in app/Config/ContentSecurityPolicy.php
public string $styleNonceTag = '{my-own-csp-style-nonce}';
public string $scriptNonceTag = '{my-own-csp-script-nonce}';When CSP was enabled earlier and these tags were used, but due to some reason, CSP is disabled, then the custom CSP tags aren't replaced and the rendered HTML will have custom tags.
Steps to Reproduce
User customizes nonce tags but temporarily CSP is disabled (as recommended in docs for security):
// app/Config/ContentSecurityPolicy.php
public string $scriptNonceTag = '{custom-secure-script-tag}';
public string $styleNonceTag = '{custom-secure-style-tag}';
public bool $CSPEnabled = false;HTML template uses custom tags:
<script {custom-secure-script-tag}>console.log('test')</script>Result: The custom tags remain in the final HTML output because ResponseTrait only looks for the hardcoded default tags!
Expected Output
The custom tags should be removed from the final HTML output.
Anything else?
Its not a big problem, as there are no immediate security risks.
I will send PR for this.
Just wanna confirm the bug from project maintainers.