Stop nonces from being added in HTML

patel-vansh · patel-vansh · commit 3f8e56b3dd79 · 2026-04-01T15:47:09.000+05:30
diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
@@ -411,15 +411,17 @@ public function enabled(): bool
      */
     public function getStyleNonce(): string
     {
+        if (! $this->enableStyleNonce) {
+            $this->styleNonce = null;
+            return '';
+        }
+
         if ($this->styleNonce === null) {
             $this->styleNonce = base64_encode(random_bytes(12));
+            $this->addStyleSrc('nonce-' . $this->styleNonce);
 
-            if ($this->enableStyleNonce) {
-                $this->addStyleSrc('nonce-' . $this->styleNonce);
-
-                if ($this->styleSrcElem !== []) {
-                    $this->addStyleSrcElem('nonce-' . $this->styleNonce);
-                }
+            if ($this->styleSrcElem !== []) {
+                $this->addStyleSrcElem('nonce-' . $this->styleNonce);
             }
         }
 
@@ -431,15 +433,17 @@ public function getStyleNonce(): string
      */
     public function getScriptNonce(): string
     {
+        if (! $this->enableScriptNonce) {
+            $this->scriptNonce = null;
+            return '';
+        }
+
         if ($this->scriptNonce === null) {
             $this->scriptNonce = base64_encode(random_bytes(12));
+            $this->addScriptSrc('nonce-' . $this->scriptNonce);
 
-            if ($this->enableScriptNonce) {
-                $this->addScriptSrc('nonce-' . $this->scriptNonce);
-
-                if ($this->scriptSrcElem !== []) {
-                    $this->addScriptSrcElem('nonce-' . $this->scriptNonce);
-                }
+            if ($this->scriptSrcElem !== []) {
+                $this->addScriptSrcElem('nonce-' . $this->scriptNonce);
             }
         }
 
@@ -963,7 +967,20 @@ protected function generateNonces(ResponseInterface $response)
                 return '';
             }
 
-            $nonce = $match[0] === $this->styleNonceTag ? $this->getStyleNonce() : $this->getScriptNonce();
+            if ($match[0] === $this->styleNonceTag) {
+                if (! $this->enableStyleNonce) {
+                    return '';
+                }
+
+                $nonce = $this->getStyleNonce();
+            } else {
+                if (! $this->enableScriptNonce) {
+                    return '';
+                }
+
+                $nonce = $this->getScriptNonce();
+            }
+
             $attr  = 'nonce="' . $nonce . '"';
 
             return $jsonEscape ? str_replace('"', '\\"', $attr) : $attr;
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -739,9 +739,12 @@ public function testDisabledScriptNonce(): void
         $this->csp->addScriptSrc('self');
         $this->csp->addScriptSrc('cdn.cloudy.com');
 
-        $this->assertTrue($this->work());
+        $this->assertTrue($this->work('<script {csp-script-nonce}></script>'));
 
         $header = $this->response->getHeaderLine('Content-Security-Policy');
+        $body = $this->response->getBody();
+
+        $this->assertStringNotContainsString('nonce=', $body);
 
         $this->assertStringContainsString("script-src 'self' cdn.cloudy.com", $header);
         $this->assertStringNotContainsString("script-src 'self' cdn.cloudy.com nonce-", $header);
@@ -834,9 +837,12 @@ public function testDisabledStyleNonce(): void
         $this->csp->addStyleSrc('self');
         $this->csp->addStyleSrc('cdn.cloudy.com');
 
-        $this->assertTrue($this->work());
+        $this->assertTrue($this->work("<style {csp-style-nonce}></style>"));
 
         $header = $this->response->getHeaderLine('Content-Security-Policy');
+        $body = $this->response->getBody();
+
+        $this->assertStringNotContainsString('nonce=', $body);
 
         $this->assertStringContainsString("style-src 'self' cdn.cloudy.com", $header);
         $this->assertStringNotContainsString("style-src 'self' cdn.cloudy.com nonce-", $header);
