Skip to content

NoCacheReplacer and CSP headers #8802

New issue
New issue
Open
Open
NoCacheReplacer and CSP headers#8802
Labels
caching
@vicolsson

Description

@vicolsson
vicolsson
opened on Oct 4, 2023

Bug description

We've recently upgraded our Statamic sites (after way to long) and now it clashes with out CSP headers. It's this line
https://github.com/statamic/cms/blob/4.x/src/StaticCaching/Replacers/NoCacheReplacer.php#L82

Due to strict security regulations on our sites we must have CSP headers that regulate from where scripts can be loaded. Loading scripts inline is sadly not allowed. This is currently blocking us from having the cache enabled. With it enabled our forms are not working due to the CSRF token replacement thingy.

Do you think you'd be able to build some workaround? Maybe create a file out of it and add that to the site?

How to reproduce

Deploy Statamic to a host with:
Content-Security-Policy: script-src 'self'
Activate the cache.
Open the site (not the CMS). On load you'll see an error in the console that the inline script has been blocked.

Logs

No response

Environment

Environment
Application Name: ***
Laravel Version: 10.24.0
PHP Version: 8.2.10
Composer Version: 2.6.3
Environment: local
Debug Mode: ENABLED
URL: ***
Maintenance Mode: OFF

Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: CACHED

Drivers
Broadcasting: log
Cache: statamic
Database: mysql
Logs: stack / single
Mail: smtp
Queue: sync
Session: file

Statamic
Addons: 1
Antlers: regex
Stache Watcher: Enabled
Static Caching: Disabled
Version: 4.23.1 PRO

Statamic Addons
statamic/ssg: 2.2.0

Installation

Fresh statamic/statamic site via CLI

Antlers Parser

None

Additional details

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    caching

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions