Skip to content

fix: Hardcoded CSP Nonce Tags in ResponseTrait #9937

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
patel-vansh wants to merge 7 commits into
base: develop
Choose a base branch
from
Open

fix: Hardcoded CSP Nonce Tags in ResponseTrait #9937

patel-vansh wants to merge 7 commits into from
+135 −5

Conversation

@patel-vansh
Copy link
Contributor

@patel-vansh patel-vansh commented Feb 8, 2026

Description
This PR fixes #9935.

Created one method in system/HTTP/ContentSecurityPolicy.php to clear all nonce placeholders.

Checklist:

  • Securely signed commits
  • Component(s) with PHPDoc blocks, only if necessary or adds value (without duplication)
  • Unit testing, with >80% coverage
  • User guide updated
  • Conforms to style guide

@michalsn michalsn added the bug Verified issues on the current code behavior or pull requests that will fix them label Feb 8, 2026
paulbalandan
paulbalandan reviewed Feb 8, 2026
View reviewed changes
Copy link
Member

@paulbalandan paulbalandan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tests don't make sense. You should be testing instead the behavior when the response is sent when CSP is not enabled.

system/HTTP/ContentSecurityPolicy.php
$this->{$this->directives[$directive]} = [];
}

public function clearNoncePlaceholders(string $text): string
Copy link
Member

@paulbalandan paulbalandan Feb 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • This can go instead in the generateNonces method in the preg_replace_callback so that if $CSPEnabled is false it just returns ''.
  • In buildHeaders, if CSP is disabled, just return
  • In ResponseTrait, remove the conditional and retain the finalize call.

Copy link
Contributor Author

@patel-vansh patel-vansh Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

tests/system/HTTP/ContentSecurityPolicyTest.php Outdated
$this->assertNotContains('report-to default', $directives);
}

public function testClearNoncePlaceholdersWithDefaultTags(): void
Copy link
Member

@paulbalandan paulbalandan Feb 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove these tests down and replace with the ones you have in ResponseTest but tailor it to be like in the majority of the tests here.

Copy link
Contributor Author

@patel-vansh patel-vansh Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@patel-vansh @paulbalandan
Apply code suggestions
65b1a04 
Co-authored-by: John Paul E. Balandan, CPA <paulbalandan@gmail.com>
@patel-vansh patel-vansh force-pushed the fix/hardcoded-csp-tags branch from 97b1297 to 65b1a04 Compare February 10, 2026 04:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paulbalandan paulbalandan paulbalandan left review comments

Assignees

No one assigned

Labels

bug Verified issues on the current code behavior or pull requests that will fix them

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: Hardcoded CSP Nonce Tags in ResponseTrait

3 participants

@patel-vansh @paulbalandan @michalsn