Laravel-debugbar: Render with nonce/hash parameter

Created on 13 Jul 2018  路  16Comments  路  Source: barryvdh/laravel-debugbar

As the default installation injects the code just before </body>, the script and assets will be blocked by the browser if you enforce strong CSP headers for injection protection.

It would be nice workaround if by setting 'inject' to false, and rendering the debugbar manually in your master template, one could also add nonce or hash parameter:

$renderer = Debugbar::getJavascriptRenderer();
echo $renderer->renderHead(['nonce' => 'ogCHUYO6kVuNXlvGPcB8dcFIM7p');
..
echo $renderer->render(['nonce' => 'ogCHUYO6kVuNXlvGPcB8dcFIM7p');

so the result would be something like

<link nonce="ogCHUYO6kVuNXlvGPcB8dcFIM7p" ..  />
..
<script type="text/javascript" nonce="ogCHUYO6kVuNXlvGPcB8dcFIM7p">
聽 var phpdebugbar = new PhpDebugBar.DebugBar();
  ..

Doesn't seem to me that #569 is related, but correct me if I'm wrong

stale

Most helpful comment

Would also like to see a proper fix for this issue. Disabling CSP locally is to ask for problem in production. :)

My current work around with Spatie/laravel-csp, in a custom policy:

// To allow Laravel debugbar and Whoops error handling in local environment
if (config('app.env') == 'local') {
    $this->reportOnly();
}

At least in that way it is possible to keep an eye in console for violations.

All 16 comments

Yeah I was having a similar problem, must see what the best way is. Perhaps a callback to set it or something.

Running into this same issue. I'm using https://github.com/spatie/laravel-csp to set policies and working through the console.log to resolve issues. I need to add nonce's to the Style and 2 script elements injected

Any news on this? Trying to implement Spatie鈥檚 package too. Would be great to pass along a nonuce.

Any progress? The debugbar is currently the only package blocking me from using CSP.

Same for me. Currently disabled debugbar. Is there any way we can help or assist? @barryvdh you had some ideas?

For those using laravel-csp or trying to. looks like there is a config option to enable/disable in the ENV file, you could use this to drop the CSP policy/headers from dev/testing.

the following is found in config/csp.php( have not used or tested this yet )

'enabled' => env('CSP_ENABLED', true),

Would also like to see a proper fix for this issue. Disabling CSP locally is to ask for problem in production. :)

My current work around with Spatie/laravel-csp, in a custom policy:

// To allow Laravel debugbar and Whoops error handling in local environment
if (config('app.env') == 'local') {
    $this->reportOnly();
}

At least in that way it is possible to keep an eye in console for violations.

Still no progress?

Report only mode for local is poor workaround as debugbar will generate enormous amount of CSP warnings and the console becomes filled and unreadable.

Are we (CSP users) really such a minority?

Sorry I don't use it often. But what is exactly required, just the nonce to the scripts? So we can extend https://github.com/barryvdh/laravel-debugbar/blob/master/src/JavascriptRenderer.php to inject a nonce in all script, but we need to have a way to determine the nonce. We could obviously just support Spatie and doe something like function_exists('csp_nonce'), or check if the View has a shared variable like in https://github.com/fruitcake/laravel-telescope-toolbar/blob/master/resources/views/head.blade.php

Thumbs up for the idea of function_exists('csp_nonce'), I'd guess that is what most users use anyway with Laravel. And if not using that package then option is to define and bootstrap own function named csp_nonce.

Is thet script and style nonce always the same?

We could also make it a config option, eg. define the callable in the config ('csp_callback' => 'csp_nonce') and use that.

With Spatie script and style use same nonce, I'd guess that is quite typical case for any usage of nonce.

Callback idea sounds excellent as it would allow any CSP package or custom solution.
Yes, usually the nonce is the same for style and script tags.

Much appreciated!

But what is exactly required, just the nonce to the scripts?

Ultimately nonce for each inline block <script> and <style> and no use of element inline styles (<a style="color:red">)or inline scripts (<button onclick="func()">)

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
If this issue is still present on the latest version of this library on supported Laravel versions, please let us know by replying to this issue so we can investigate further.
Thank you for your contribution! Apologies for any delayed response on our side.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

coderdiaz picture coderdiaz  路  4Comments

farshadff picture farshadff  路  4Comments

lucasdcrk picture lucasdcrk  路  3Comments

MRZ2017 picture MRZ2017  路  3Comments

lozadaOmr picture lozadaOmr  路  6Comments