Apply code suggestions

Co-authored-by: John Paul E. Balandan, CPA <paulbalandan@gmail.com>

Author: patel-vansh

system/HTTP/ContentSecurityPolicy.php

@@ -902,6 +902,10 @@ protected function generateNonces(ResponseInterface $response)
         $pattern = sprintf('/(%s|%s)/', preg_quote($this->styleNonceTag, '/'), preg_quote($this->scriptNonceTag, '/'));
 
         $body = preg_replace_callback($pattern, function ($match): string {
+            if (! $this->enabled()) {
+                return '';
+            }
+
             $nonce = $match[0] === $this->styleNonceTag ? $this->getStyleNonce() : $this->getScriptNonce();
 
             return "nonce=\"{$nonce}\"";
@@ -923,6 +927,10 @@ protected function buildHeaders(ResponseInterface $response)
         $response->setHeader('Content-Security-Policy-Report-Only', []);
         $response->setHeader('Reporting-Endpoints', []);
 
+        if (! $this->enabled()) {
+            return;
+        }
+
         if (in_array($this->baseURI, ['', null, []], true)) {
             $this->baseURI = 'self';
         }

system/HTTP/ResponseTrait.php

@@ -367,11 +367,7 @@ public function send()
     {
         // If we're enforcing a Content Security Policy,
         // we need to give it a chance to build out it's headers.
-        if ($this->CSP->enabled()) {
-            $this->CSP->finalize($this);
-        } else {
-            $this->body = $this->CSP->clearNoncePlaceholders($this->body ?? '');
-        }
+        $this->CSP->finalize($this);
 
         $this->sendHeaders();
         $this->sendCookies();

tests/system/HTTP/ContentSecurityPolicyTest.php

@@ -937,67 +937,4 @@ public function testClearDirective(): void
         $this->assertNotContains('report-uri http://example.com/csp/reports', $directives);
         $this->assertNotContains('report-to default', $directives);
     }
-
-    public function testClearNoncePlaceholdersWithDefaultTags(): void
-    {
-        $config = new CSPConfig();
-        $csp    = new ContentSecurityPolicy($config);
-
-        $body    = 'Test {csp-script-nonce} and {csp-style-nonce} here';
-        $cleaned = $csp->clearNoncePlaceholders($body);
-
-        $this->assertSame('Test  and  here', $cleaned);
-        $this->assertStringNotContainsString('{csp-script-nonce}', $cleaned);
-        $this->assertStringNotContainsString('{csp-style-nonce}', $cleaned);
-    }
-
-    public function testClearNoncePlaceholdersWithCustomTags(): void
-    {
-        $config                 = new CSPConfig();
-        $config->scriptNonceTag = '{custom-script-nonce}';
-        $config->styleNonceTag  = '{custom-style-nonce}';
-        $csp                    = new ContentSecurityPolicy($config);
-
-        $body    = 'Test {custom-script-nonce} and {custom-style-nonce} here';
-        $cleaned = $csp->clearNoncePlaceholders($body);
-
-        $this->assertSame('Test  and  here', $cleaned);
-        $this->assertStringNotContainsString('{custom-script-nonce}', $cleaned);
-        $this->assertStringNotContainsString('{custom-style-nonce}', $cleaned);
-    }
-
-    public function testClearNoncePlaceholdersWithEmptyBody(): void
-    {
-        $config = new CSPConfig();
-        $csp    = new ContentSecurityPolicy($config);
-
-        $body    = '';
-        $cleaned = $csp->clearNoncePlaceholders($body);
-
-        $this->assertSame('', $cleaned);
-    }
-
-    public function testClearNoncePlaceholdersWithNoPlaceholders(): void
-    {
-        $config = new CSPConfig();
-        $csp    = new ContentSecurityPolicy($config);
-
-        $body    = 'Test body with no placeholders';
-        $cleaned = $csp->clearNoncePlaceholders($body);
-
-        $this->assertSame($body, $cleaned);
-    }
-
-    public function testClearNoncePlaceholdersWithMultiplePlaceholders(): void
-    {
-        $config = new CSPConfig();
-        $csp    = new ContentSecurityPolicy($config);
-
-        $body    = '<script {csp-script-nonce}>a</script><script {csp-script-nonce}>b</script><style {csp-style-nonce}>c</style>';
-        $cleaned = $csp->clearNoncePlaceholders($body);
-
-        $this->assertStringNotContainsString('{csp-script-nonce}', $cleaned);
-        $this->assertStringNotContainsString('{csp-style-nonce}', $cleaned);
-        $this->assertSame('<script >a</script><script >b</script><style >c</style>', $cleaned);
-    }
 }

tests/system/HTTP/ResponseTest.php

@@ -635,23 +635,67 @@ public function testSendRemovesCustomNoncePlaceholdersWhenCSPDisabled(): void
         $this->assertStringContainsString('<style >.x{}</style>', (string) $actual);
     }
 
-    public function testSendWithCSPDisabledDoesNotAffectBodyWithoutNonceTags(): void
+    public function testSendNoEffectWhenBodyEmptyAndCSPDisabled(): void
     {
         $config             = new App();
         $config->CSPEnabled = false;
 
         $response = new Response($config);
         $response->pretend(true);
 
-        $body = '<html><script>console.log("test")</script></html>';
+        $body = '';
         $response->setBody($body);
 
         ob_start();
         $response->send();
         $actual = ob_get_contents();
         ob_end_clean();
 
-        // Body without nonce tags should remain unchanged
-        $this->assertSame($body, $actual);
+        $this->assertSame('', (string) $actual);
+    }
+
+    public function testSendNoEffectWithNoPlaceholdersAndCSPDisabled(): void
+    {
+        $config             = new App();
+        $config->CSPEnabled = false;
+
+        $response = new Response($config);
+        $response->pretend(true);
+
+        $body = '<html><head><title>Test</title></head><body><p>No placeholders here</p></body></html>';
+        $response->setBody($body);
+
+        ob_start();
+        $response->send();
+        $actual = ob_get_contents();
+        ob_end_clean();
+
+        // Body should be unchanged when there are no placeholders and CSP is disabled
+        $this->assertSame($body, (string) $actual);
+    }
+
+    public function testSendRemovesMultiplePlaceholdersWhenCSPDisabled(): void
+    {
+        $config             = new App();
+        $config->CSPEnabled = false;
+
+        $response = new Response($config);
+        $response->pretend(true);
+
+        $body = '<html><script {csp-script-nonce}>console.log("test")</script><script {csp-script-nonce}>console.log("test2")</script><style {csp-style-nonce}>.test{}</style><style {csp-style-nonce}>.test2{}</style></html>';
+        $response->setBody($body);
+
+        ob_start();
+        $response->send();
+        $actual = ob_get_contents();
+        ob_end_clean();
+
+        // All nonce placeholders should be removed when CSP is disabled
+        $this->assertStringNotContainsString('{csp-script-nonce}', (string) $actual);
+        $this->assertStringNotContainsString('{csp-style-nonce}', (string) $actual);
+        $this->assertStringContainsString('<script >console.log("test")</script>', (string) $actual);
+        $this->assertStringContainsString('<script >console.log("test2")</script>', (string) $actual);
+        $this->assertStringContainsString('<style >.test{}</style>', (string) $actual);
+        $this->assertStringContainsString('<style >.test2{}</style>', (string) $actual);
     }
 }