Merge pull request #6570 from kenjis/fix-csp-autoNonce

fix: CSP autoNonce = false

Author: kenjis

system/HTTP/ContentSecurityPolicy.php

@@ -300,11 +300,10 @@ public function getScriptNonce(): string
      */
     public function finalize(ResponseInterface $response)
     {
-        if ($this->autoNonce === false) {
-            return;
+        if ($this->autoNonce) {
+            $this->generateNonces($response);
         }
 
-        $this->generateNonces($response);
         $this->buildHeaders($response);
     }
 

tests/system/HTTP/ContentSecurityPolicyTest.php

@@ -12,6 +12,7 @@
 namespace CodeIgniter\HTTP;
 
 use CodeIgniter\Test\CIUnitTestCase;
+use CodeIgniter\Test\TestResponse;
 use Config\App;
 use Config\ContentSecurityPolicy as CSPConfig;
 
@@ -533,6 +534,9 @@ public function testBodyScriptNonceDisableAutoNonce()
         $csp->finalize($response);
 
         $this->assertStringContainsString('{csp-script-nonce}', $response->getBody());
+
+        $result = new TestResponse($response);
+        $result->assertHeader('Content-Security-Policy');
     }
 
     public function testBodyStyleNonceDisableAutoNonce()
@@ -549,6 +553,9 @@ public function testBodyStyleNonceDisableAutoNonce()
         $csp->finalize($response);
 
         $this->assertStringContainsString('{csp-style-nonce}', $response->getBody());
+
+        $result = new TestResponse($response);
+        $result->assertHeader('Content-Security-Policy');
     }
 
     /**

user_guide_src/source/changelogs/v4.2.7.rst

@@ -33,6 +33,6 @@ none.
 Bugs Fixed
 **********
 
-none.
+- Fixed a bug that prevents CSP headers from being sent when ``Config\ContentSecurityPolicy::$autoNonce`` is false.
 
 See the repo's `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_ for a complete list of bugs fixed.