Add granular nonces

patel-vansh · patel-vansh · commit 2caca5ba77d9 · 2026-04-01T15:47:09.000+05:30
diff --git a/app/Config/ContentSecurityPolicy.php b/app/Config/ContentSecurityPolicy.php
@@ -199,6 +199,16 @@ class ContentSecurityPolicy extends BaseConfig
      */
     public $sandbox;
 
+    /**
+     * Enable nonce to style tags?
+     */
+    public bool $enableStyleNonce = true;
+
+    /**
+     * Enable nonce to script tags?
+     */
+    public bool $enableScriptNonce = true;
+
     /**
      * Nonce placeholder for style tags.
      */
diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
@@ -298,6 +298,20 @@ class ContentSecurityPolicy
      */
     protected $scriptNonce;
 
+    /**
+     * Whether to enable nonce to style-src and style-src-elem directives or not.
+     *
+     * @var bool
+     */
+    protected $enableStyleNonce = true;
+
+    /**
+     * Whether to enable nonce to script-src and script-src-elem directives or not.
+     *
+     * @var bool
+     */
+    protected $enableScriptNonce = true;
+
     /**
      * Nonce placeholder for style tags.
      *
@@ -399,10 +413,13 @@ public function getStyleNonce(): string
     {
         if ($this->styleNonce === null) {
             $this->styleNonce = base64_encode(random_bytes(12));
-            $this->addStyleSrc('nonce-' . $this->styleNonce);
 
-            if ($this->styleSrcElem !== []) {
-                $this->addStyleSrcElem('nonce-' . $this->styleNonce);
+            if ($this->enableStyleNonce) {
+                $this->addStyleSrc('nonce-' . $this->styleNonce);
+
+                if ($this->styleSrcElem !== []) {
+                    $this->addStyleSrcElem('nonce-' . $this->styleNonce);
+                }
             }
         }
 
@@ -416,10 +433,13 @@ public function getScriptNonce(): string
     {
         if ($this->scriptNonce === null) {
             $this->scriptNonce = base64_encode(random_bytes(12));
-            $this->addScriptSrc('nonce-' . $this->scriptNonce);
 
-            if ($this->scriptSrcElem !== []) {
-                $this->addScriptSrcElem('nonce-' . $this->scriptNonce);
+            if ($this->enableScriptNonce) {
+                $this->addScriptSrc('nonce-' . $this->scriptNonce);
+
+                if ($this->scriptSrcElem !== []) {
+                    $this->addScriptSrcElem('nonce-' . $this->scriptNonce);
+                }
             }
         }
 
@@ -868,6 +888,30 @@ public function addReportingEndpoints(array $endpoint): static
         return $this;
     }
 
+    /**
+     * Enables or disables adding nonces to style-src and style-src-elem directives.
+     *
+     * @return $this
+     */
+    public function setEnableStyleNonce(bool $value = true): static
+    {
+        $this->enableStyleNonce = $value;
+
+        return $this;
+    }
+
+    /**
+     * Enables or disables adding nonces to script-src and script-src-elem directives.
+     *
+     * @return $this
+     */
+    public function setEnableScriptNonce(bool $value = true): static
+    {
+        $this->enableScriptNonce = $value;
+
+        return $this;
+    }
+
     /**
      * DRY method to add an string or array to a class property.
      *
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -731,6 +731,22 @@ public function testBodyScriptNonce(): void
         $this->assertStringContainsString('nonce-', $header);
     }
 
+    public function testDisabledScriptNonce(): void
+    {
+        $this->csp->clearDirective('script-src');
+
+        $this->csp->setEnableScriptNonce(false);
+        $this->csp->addScriptSrc('self');
+        $this->csp->addScriptSrc('cdn.cloudy.com');
+
+        $this->assertTrue($this->work());
+
+        $header = $this->response->getHeaderLine('Content-Security-Policy');
+
+        $this->assertStringContainsString("script-src 'self' cdn.cloudy.com", $header);
+        $this->assertStringNotContainsString("script-src 'self' cdn.cloudy.com nonce-", $header);
+    }
+
     public function testBodyScriptNonceCustomScriptTag(): void
     {
         $config                 = new CSPConfig();
@@ -810,6 +826,22 @@ public function testBodyStyleNonce(): void
         $this->assertStringContainsString('nonce-', $header);
     }
 
+    public function testDisabledStyleNonce(): void
+    {
+        $this->csp->clearDirective('style-src');
+
+        $this->csp->setEnableStyleNonce(false);
+        $this->csp->addStyleSrc('self');
+        $this->csp->addStyleSrc('cdn.cloudy.com');
+
+        $this->assertTrue($this->work());
+
+        $header = $this->response->getHeaderLine('Content-Security-Policy');
+
+        $this->assertStringContainsString("style-src 'self' cdn.cloudy.com", $header);
+        $this->assertStringNotContainsString("style-src 'self' cdn.cloudy.com nonce-", $header);
+    }
+
     public function testBodyStyleNonceCustomStyleTag(): void
     {
         $config                = new CSPConfig();
