How to configure CSP – Content Security Policy with standalone install
- leon_m
- Member | 6
Hi all,
I'm using the tracy debugger successfully without the Nette framework.
PHP 8.1
tracy 2.9
Currently in my homegrown bootstrap I have:
use Tracy\Debugger;
define('CSP_NONCE', $helper->getNonce(20));
if ($_ENV['DEBUG'] === 'DO_DEBUG') {
Debugger::enable(Debugger::DEVELOPMENT);
}
I see a configuration example here for use with the framework:
https://tracy.nette.org/en/recipes
How can I do something similar for my set-up?
- David Grudl
- Nette Core | 8228
In pure PHP:
$nonce = base64_encode(random_bytes(20));
header("Content-Security-Policy: script-src 'nonce-$nonce' 'strict-dynamic';");
- leon_m
- Member | 6
Hmm, that doesn't seem to work for me:
menu:1 Refused to load the script 'https://example.test/admin/menu?_tracy_bar=js&v=2.9.2&XDEBUG_SESSION_STOP=1' because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' https: 'self' 'nonce-8i7mcHyMxQ2K5vHXvfld4Gv8i6Y='". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
menu:238 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' https: 'self' 'nonce-8i7mcHyMxQ2K5vHXvfld4Gv8i6Y='". Either the 'unsafe-inline' keyword, a hash ('sha256-wHoNX4754AipO/33KsPYkkdbkl0U+3EdJvWmwHAmvvs='), or a nonce ('nonce-...') is required to enable inline execution.