Skip to content

fix: reset Kint CSP state in worker mode#10139

Merged
paulbalandan merged 1 commit intocodeigniter4:developfrom
memleakd:fix/worker-kint-csp-nonces
Apr 25, 2026
Merged

fix: reset Kint CSP state in worker mode#10139
paulbalandan merged 1 commit intocodeigniter4:developfrom
memleakd:fix/worker-kint-csp-nonces

Conversation

@memleakd
Copy link
Copy Markdown
Contributor

@memleakd memleakd commented Apr 24, 2026
edited
Loading

This fixes stale Kint renderer state in worker mode.

Kint stores CSP nonces and rich renderer pre-render state in static properties. In normal PHP execution those statics are discarded after each request, but in worker mode they persist across requests. This can cause Debug Toolbar/Kint inline assets to use stale CSP nonces and trigger browser CSP violations.

This change resets Kint's request-specific renderer state from CodeIgniter::resetForWorkerMode() without reinitializing Kint or adding new public API.

  • Refreshes Kint script/style CSP nonces per worker request
  • Clears stale Kint nonces when CSP is disabled
  • Restores RichRenderer::$needs_pre_render for the next request
  • Adds regression coverage for worker reset behavior
  • Adds a changelog entry

Fixes #10138

Checklist:

  • Securely signed commits
  • Component(s) with PHPDoc blocks, only if necessary or adds value (without duplication)
  • Unit testing, with >80% coverage
  • User guide updated
  • Conforms to style guide

@memleakd
fix: reset Kint CSP state in worker mode
bf6f06b 
Signed-off-by: memleakd <121398829+memleakd@users.noreply.github.com>
@mergeable
Copy link
Copy Markdown

mergeable Bot commented Apr 24, 2026

Hi there, memleakd! 👋

Thank you for sending this PR!

We expect the following in all Pull Requests (PRs).

Important

We expect all code changes or bug-fixes to be accompanied by one or more tests added to our test suite to prove the code works.

If pull requests do not comply with the above, they will likely be closed. Since we are a team of volunteers, we don't have any more time to work
on the framework than you do. Please make it as painless for your contributions to be included as possible.

See https://github.com/codeigniter4/CodeIgniter4/blob/develop/contributing/pull_request.md

Sincerely, the mergeable bot 🤖

@paulbalandan paulbalandan requested a review from michalsn April 25, 2026 06:40
michalsn
michalsn approved these changes Apr 25, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@michalsn michalsn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for discovering, reporting, and fixing this. Truly the ideal situation.

Looks good to me.

Although for the 4.8 branch, we will need a small adjustment because CSP is lazy-loaded. I can take care of that later.

@paulbalandan paulbalandan merged commit aa0d83e into codeigniter4:develop Apr 25, 2026
60 of 61 checks passed
@paulbalandan
Copy link
Copy Markdown
Member

paulbalandan commented Apr 25, 2026

Thank you, @memleakd

@memleakd memleakd deleted the fix/worker-kint-csp-nonces branch April 25, 2026 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michalsn michalsn michalsn approved these changes

@paulbalandan paulbalandan paulbalandan approved these changes

+1 more reviewer

@datamweb datamweb datamweb approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: Debug Toolbar Kint assets reuse stale CSP nonces in worker mode

4 participants

@memleakd @paulbalandan @michalsn @datamweb