How to configure CSP – Content Security Policy with standalone install

leon_m

Hi all,

I'm using the tracy debugger successfully without the Nette framework.

PHP 8.1
tracy 2.9

Currently in my homegrown bootstrap I have:

use Tracy\Debugger;

define('CSP_NONCE', $helper->getNonce(20));

if ($_ENV['DEBUG'] === 'DO_DEBUG') {
    Debugger::enable(Debugger::DEVELOPMENT);
}

I see a configuration example here for use with the framework:
https://tracy.nette.org/en/recipes

How can I do something similar for my set-up?

David Grudl

In pure PHP:

$nonce = base64_encode(random_bytes(20));
header("Content-Security-Policy: script-src 'nonce-$nonce' 'strict-dynamic';");

leon_m

Hmm, that doesn't seem to work for me:

menu:1 Refused to load the script 'https://example.test/admin/menu?_tracy_bar=js&v=2.9.2&XDEBUG_SESSION_STOP=1' because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' https: 'self' 'nonce-8i7mcHyMxQ2K5vHXvfld4Gv8i6Y='". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

menu:238 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' https: 'self' 'nonce-8i7mcHyMxQ2K5vHXvfld4Gv8i6Y='". Either the 'unsafe-inline' keyword, a hash ('sha256-wHoNX4754AipO/33KsPYkkdbkl0U+3EdJvWmwHAmvvs='), or a nonce ('nonce-...') is required to enable inline execution.

leon_m

I've figured it out. The preg_match in the getNonce() method wasn't matching the headers. I've changed the order so that it will match the script-src correctly and all is good.

Thanks for your help.

leon_m

Just an observation. The automatic detection in getNonce is clever, but somewhat brittle. It would be good if there was an alternative way to setNonce when initialising tracy, then:

if (!empty($nonce))
return $nonce
else
return preg_match...