Render with nonce/hash parameter

[screenager]

As the default installation injects the code just before </body>, the script and assets will be blocked by the browser if you enforce strong CSP headers for injection protection.

It would be nice workaround if by setting 'inject' to false, and rendering the debugbar manually in your master template, one could also add nonce or hash parameter:

$renderer = Debugbar::getJavascriptRenderer();
echo $renderer->renderHead(['nonce' => 'ogCHUYO6kVuNXlvGPcB8dcFIM7p');
..
echo $renderer->render(['nonce' => 'ogCHUYO6kVuNXlvGPcB8dcFIM7p');

so the result would be something like

<link nonce="ogCHUYO6kVuNXlvGPcB8dcFIM7p" ..  />
..
<script type="text/javascript" nonce="ogCHUYO6kVuNXlvGPcB8dcFIM7p">
  var phpdebugbar = new PhpDebugBar.DebugBar();
  ..

Doesn't seem to me that #569 is related, but correct me if I'm wrong

[barryvdh]

Yeah I was having a similar problem, must see what the best way is. Perhaps a callback to set it or something.

[ncrewsSouthern]

Running into this same issue. I'm using https://github.com/spatie/laravel-csp to set policies and working through the console.log to resolve issues. I need to add nonce's to the Style and 2 script elements injected

[jannejava]

Any news on this? Trying to implement Spatie’s package too. Would be great to pass along a nonuce.

[dovca]

Any progress? The debugbar is currently the only package blocking me from using CSP.

[jannejava]

Same for me. Currently disabled debugbar. Is there any way we can help or assist? @barryvdh you had some ideas?

[ncrewsSouthern]

For those using laravel-csp or trying to. looks like there is a config option to enable/disable in the ENV file, you could use this to drop the CSP policy/headers from dev/testing.

the following is found in config/csp.php( have not used or tested this yet )

'enabled' => env('CSP_ENABLED', true),

[jtallinger]

Would also like to see a proper fix for this issue. Disabling CSP locally is to ask for problem in production. :)

My current work around with Spatie/laravel-csp, in a custom policy:

// To allow Laravel debugbar and Whoops error handling in local environment
if (config('app.env') == 'local') {
    $this->reportOnly();
}

At least in that way it is possible to keep an eye in console for violations.

[liepumartins]

Still no progress?

Report only mode for local is poor workaround as debugbar will generate enormous amount of CSP warnings and the console becomes filled and unreadable.

Are we (CSP users) really such a minority?

[barryvdh]

Sorry I don't use it often. But what is exactly required, just the nonce to the scripts? So we can extend https://github.com/barryvdh/laravel-debugbar/blob/master/src/JavascriptRenderer.php to inject a nonce in all script, but we need to have a way to determine the nonce. We could obviously just support Spatie and doe something like function_exists('csp_nonce'), or check if the View has a shared variable like in https://github.com/fruitcake/laravel-telescope-toolbar/blob/master/resources/views/head.blade.php

[jtallinger]

Thumbs up for the idea of function_exists('csp_nonce'), I'd guess that is what most users use anyway with Laravel. And if not using that package then option is to define and bootstrap own function named csp_nonce.

[barryvdh]

Is thet script and style nonce always the same?

[barryvdh]

We could also make it a config option, eg. define the callable in the config ('csp_callback' => 'csp_nonce') and use that.

[jtallinger]

With Spatie script and style use same nonce, I'd guess that is quite typical case for any usage of nonce.

[liepumartins]

Callback idea sounds excellent as it would allow any CSP package or custom solution.
Yes, usually the nonce is the same for style and script tags.

Much appreciated!

But what is exactly required, just the nonce to the scripts?

Ultimately nonce for each inline block <script> and <style> and no use of element inline styles (<a style="color:red">)or inline scripts (<button onclick="func()">)

[barryvdh]

Partial PR: #1013

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
If this issue is still present on the latest version of this library on supported Laravel versions, please let us know by replying to this issue so we can investigate further.
Thank you for your contribution! Apologies for any delayed response on our side.

[jtallinger]

For anyone coming here and wondering if this is solved and how to make it work. I solved it by using a recent version of the package (>Sep 2023 / version >3.12.2) and by adding following to app/Providers/AppServiceProvider.php (Laravel 10):

if ($this->app->isLocal()) {
    // Set CSP nonce for Laravel Debugbar during development
    if (class_exists(\Barryvdh\Debugbar\Facades\Debugbar::class) && app()->bound('debugbar')) {
        app('debugbar')->getJavascriptRenderer()->setCspNonce(csp_nonce());
    }
}

Finally no more CSP warnings during development. Thanks for an excellent package and thanks for the work to get this issue solved 😀 👍

[Seyid-cmd]

@jtallinger thank you, that works .