Merge pull request #5733 from iRedds/csp-optimization

paulbalandan · web-flow · commit ddb1400ae23c · 2022-02-25T19:20:10.000+08:00
Nonce replacement optimization.
diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
@@ -671,18 +671,12 @@ protected function generateNonces(ResponseInterface $response)
             return;
         }
 
-        // Replace style placeholders with nonces
-        $pattern = '/' . preg_quote($this->styleNonceTag, '/') . '/';
-        $body    = preg_replace_callback($pattern, function () {
-            $nonce = $this->getStyleNonce();
+        // Replace style and script placeholders with nonces
+        $pattern = '/(' . preg_quote($this->styleNonceTag, '/')
+            . '|' . preg_quote($this->scriptNonceTag, '/') . ')/';
 
-            return "nonce=\"{$nonce}\"";
-        }, $body);
-
-        // Replace script placeholders with nonces
-        $pattern = '/' . preg_quote($this->scriptNonceTag, '/') . '/';
-        $body    = preg_replace_callback($pattern, function () {
-            $nonce = $this->getScriptNonce();
+        $body = preg_replace_callback($pattern, function ($match) {
+            $nonce = $match[0] === $this->styleNonceTag ? $this->getStyleNonce() : $this->getScriptNonce();
 
             return "nonce=\"{$nonce}\"";
         }, $body);
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -459,11 +459,16 @@ public function testBodyScriptNonce()
         $this->response->setBody($body);
         $this->csp->addScriptSrc('cdn.cloudy.com');
 
-        $result = $this->work($body);
+        $result     = $this->work($body);
+        $nonceStyle = array_filter(
+            $this->getPrivateProperty($this->csp, 'styleSrc'),
+            static fn ($value) => strpos($value, 'nonce-') === 0
+        );
 
         $this->assertStringContainsString('nonce=', $this->response->getBody());
         $result = $this->getHeaderEmitted('Content-Security-Policy');
         $this->assertStringContainsString('nonce-', $result);
+        $this->assertSame([], $nonceStyle);
     }
 
     public function testBodyScriptNonceCustomScriptTag()
@@ -525,11 +530,16 @@ public function testBodyStyleNonce()
         $this->response->setBody($body);
         $this->csp->addStyleSrc('cdn.cloudy.com');
 
-        $result = $this->work($body);
+        $result      = $this->work($body);
+        $nonceScript = array_filter(
+            $this->getPrivateProperty($this->csp, 'scriptSrc'),
+            static fn ($value) => strpos($value, 'nonce-') === 0
+        );
 
         $this->assertStringContainsString('nonce=', $this->response->getBody());
         $result = $this->getHeaderEmitted('Content-Security-Policy');
         $this->assertStringContainsString('nonce-', $result);
+        $this->assertSame([], $nonceScript);
     }
 
     public function testBodyStyleNonceCustomStyleTag()
