fix: CSP header is not emitted when $autoNonce is false

kenjis · kenjis · commit 91400413a65b · 2022-09-23T08:11:52.000+09:00
diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
@@ -300,11 +300,10 @@ public function getScriptNonce(): string
      */
     public function finalize(ResponseInterface $response)
     {
-        if ($this->autoNonce === false) {
-            return;
+        if ($this->autoNonce) {
+            $this->generateNonces($response);
         }
 
-        $this->generateNonces($response);
         $this->buildHeaders($response);
     }
 
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -533,6 +533,9 @@ public function testBodyScriptNonceDisableAutoNonce()
         $csp->finalize($response);
 
         $this->assertStringContainsString('{csp-script-nonce}', $response->getBody());
+
+        $result = new \CodeIgniter\Test\TestResponse($response);
+        $result->assertHeader('Content-Security-Policy');
     }
 
     public function testBodyStyleNonceDisableAutoNonce()
@@ -549,6 +552,9 @@ public function testBodyStyleNonceDisableAutoNonce()
         $csp->finalize($response);
 
         $this->assertStringContainsString('{csp-style-nonce}', $response->getBody());
+
+        $result = new \CodeIgniter\Test\TestResponse($response);
+        $result->assertHeader('Content-Security-Policy');
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -300,11 +300,10 @@ public function getScriptNonce(): string`
`300`	`300`	`*/`
`301`	`301`	`public function finalize(ResponseInterface $response)`
`302`	`302`	`{`
`303`		`- if ($this->autoNonce === false) {`
`304`		`- return;`
	`303`	`+ if ($this->autoNonce) {`
	`304`	`+ $this->generateNonces($response);`
`305`	`305`	`}`
`306`	`306`
`307`		`- $this->generateNonces($response);`
`308`	`307`	`$this->buildHeaders($response);`
`309`	`308`	`}`
`310`	`309`