Render with nonce/hash parameter

[screenager]

As the default installation injects the code just before </body>, the script and assets will be blocked by the browser if you enforce strong CSP headers for injection protection.

It would be nice workaround if by setting 'inject' to false, and rendering the debugbar manually in your master template, one could also add nonce or hash parameter:

$renderer = Debugbar::getJavascriptRenderer();
echo $renderer->renderHead(['nonce' => 'ogCHUYO6kVuNXlvGPcB8dcFIM7p');
..
echo $renderer->render(['nonce' => 'ogCHUYO6kVuNXlvGPcB8dcFIM7p');

so the result would be something like

<link nonce="ogCHUYO6kVuNXlvGPcB8dcFIM7p" ..  />
..
<script type="text/javascript" nonce="ogCHUYO6kVuNXlvGPcB8dcFIM7p">
  var phpdebugbar = new PhpDebugBar.DebugBar();
  ..

Doesn't seem to me that #569 is related, but correct me if I'm wrong

[barryvdh]

Yeah I was having a similar problem, must see what the best way is. Perhaps a callback to set it or something.

[ncrewsSouthern]

Running into this same issue. I'm using https://github.com/spatie/laravel-csp to set policies and working through the console.log to resolve issues. I need to add nonce's to the Style and 2 script elements injected

[jannejava]

Any news on this? Trying to implement Spatie’s package too. Would be great to pass along a nonuce.

[dovca]

Any progress? The debugbar is currently the only package blocking me from using CSP.

[jannejava]

Same for me. Currently disabled debugbar. Is there any way we can help or assist? @barryvdh you had some ideas?

[ncrewsSouthern]

For those using laravel-csp or trying to. looks like there is a config option to enable/disable in the ENV file, you could use this to drop the CSP policy/headers from dev/testing.

the following is found in config/csp.php( have not used or tested this yet )

'enabled' => env('CSP_ENABLED', true),

[jtallinger]

Would also like to see a proper fix for this issue. Disabling CSP locally is to ask for problem in production. :)

My current work around with Spatie/laravel-csp, in a custom policy:

// To allow Laravel debugbar and Whoops error handling in local environment
if (config('app.env') == 'local') {
    $this->reportOnly();
}

At least in that way it is possible to keep an eye in console for violations.

[liepumartins]

Still no progress?

Report only mode for local is poor workaround as debugbar will generate enormous amount of CSP warnings and the console becomes filled and unreadable.

Are we (CSP users) really such a minority?

[barryvdh]

Sorry I don't use it often. But what is exactly required, just the nonce to the scripts? So we can extend https://github.com/barryvdh/laravel-debugbar/blob/master/src/JavascriptRenderer.php to inject a nonce in all script, but we need to have a way to determine the nonce. We could obviously just support Spatie and doe something like function_exists('csp_nonce'), or check if the View has a shared variable like in https://github.com/fruitcake/laravel-telescope-toolbar/blob/master/resources/views/head.blade.php

[jtallinger]

Thumbs up for the idea of function_exists('csp_nonce'), I'd guess that is what most users use anyway with Laravel. And if not using that package then option is to define and bootstrap own function named csp_nonce.

[barryvdh]

Is thet script and style nonce always the same?

[barryvdh]

We could also make it a config option, eg. define the callable in the config ('csp_callback' => 'csp_nonce') and use that.

[jtallinger]

With Spatie script and style use same nonce, I'd guess that is quite typical case for any usage of nonce.

[liepumartins]

Callback idea sounds excellent as it would allow any CSP package or custom solution.
Yes, usually the nonce is the same for style and script tags.

Much appreciated!

But what is exactly required, just the nonce to the scripts?

Ultimately nonce for each inline block <script> and <style> and no use of element inline styles (<a style="color:red">)or inline scripts (<button onclick="func()">)

[barryvdh]

Partial PR: #1013