Fixes issues with CSP nonces on Craft 4. Bump to 1.4.0

Author: mmikkel

CHANGELOG.md

@@ -1,5 +1,14 @@
 # ToolMate Changelog
 
+## 1.4.0 - 2022-05-14
+### Added
+- Craft domains (i.e. Craft ID and the plugin store API) are now automatically included in the `connect-src` directive for control panel requests
+- `unsafe-inline` directives are now added automatically for Yii error pages   
+### Fixed
+- Fixes an issue where unhashed CSP nonces would not be included in the actual CSP header, on Craft 4.0 
+### Changed
+- Refactored logic concerning how and when the CSP header is set  
+
 ## 1.3.1 - 2022-05-12
 ### Fixed
 - Fixed an issue where ToolMate failed to include the `'unsafe-inline'` policy resource for the `style-src` CSP directive, for site requests where the Yii debug toolbar is enabled  

composer.json

@@ -2,7 +2,7 @@
     "name": "vaersaagod/toolmate",
     "description": "Is that a tool in your pocket, or are you just happy to see me, mate?",
     "type": "craft-plugin",
-    "version": "1.3.1",
+    "version": "1.4.0",
     "keywords": [
         "craft",
         "cms",

src/ToolMate.php

@@ -4,12 +4,11 @@
 
 use Craft;
 use craft\base\Plugin;
-use craft\events\TemplateEvent;
 use craft\helpers\App;
-use craft\web\Application;
+use craft\web\Response;
+use craft\web\TemplateResponseFormatter;
 use craft\web\twig\variables\CraftVariable;
 
-use craft\web\View;
 use vaersaagod\toolmate\models\Settings;
 use vaersaagod\toolmate\services\CspService;
 use vaersaagod\toolmate\services\EmbedService;
@@ -99,8 +98,12 @@ protected function createSettingsModel(): Settings
         return new Settings();
     }
 
+    /**
+     * @return void
+     */
     protected function maybeSendCspHeader(): void
     {
+
         $cspConfig = self::getInstance()?->getSettings()->csp;
 
         if (!$cspConfig->enabled) {
@@ -111,31 +114,40 @@ protected function maybeSendCspHeader(): void
             return;
         }
 
-        // Replace hashed CSP nonces (this gets us around the template cache)
+        // Replace hashed nonces and set the CSP header for HTML responses
         Event::on(
-            View::class,
-            View::EVENT_AFTER_RENDER_PAGE_TEMPLATE,
-            static function(TemplateEvent $event) {
-                \preg_match_all('/nonce="([^"]*)"/', $event->output, $matches);
+            Response::class,
+            \yii\web\Response::EVENT_AFTER_PREPARE,
+            static function (Event $event) {
+                $response = $event->sender;
+                if (!$response instanceof Response || empty($response?->content)) {
+                    return;
+                }
+                $validFormats = [
+                    \yii\web\Response::FORMAT_RAW,
+                    \yii\web\Response::FORMAT_HTML,
+                ];
+                if (class_exists('craft\\web\\TemplateResponseFormatter')) {
+                    $validFormats[] = TemplateResponseFormatter::FORMAT;
+                }
+                if (!in_array($response?->format, $validFormats)) {
+                    return;
+                }
+                // Replace hashed CSP nonces (this gets us around the template cache)
+                \preg_match_all('/nonce="([^"]*)"/', $response->content, $matches);
                 $hashedNonces = $matches[1] ?? [];
+                $cspService = ToolMate::getInstance()->csp;
                 for ($i = 0, $iMax = \count($hashedNonces); $i < $iMax; ++$i) {
                     if (!$unhashedNonce = Craft::$app->getSecurity()->validateData($hashedNonces[$i])) {
                         continue;
                     }
                     [0 => $directive, 1 => $nonce] = \explode(':', $unhashedNonce);
-                    if (!ToolMate::getInstance()->csp->hasNonce($directive, $nonce)) {
-                        $nonce = ToolMate::getInstance()->csp->createNonce($directive);
+                    if (!$cspService->hasNonce($directive, $nonce)) {
+                        $nonce = $cspService->createNonce($directive);
                     }
-                    $event->output = \str_replace($matches[0][$i], "nonce=\"$nonce\"", $event->output);
+                    $response->content = \str_replace($matches[0][$i], "nonce=\"$nonce\"", $response->content);
                 }
-            }
-        );
-
-        Event::on(
-            Application::class,
-            \yii\base\Application::EVENT_AFTER_REQUEST,
-            static function(Event $event) {
-                ToolMate::getInstance()->csp->setHeader();
+                ToolMate::getInstance()->csp->setHeader($response);
             }
         );
     }

src/services/CspService.php

@@ -7,6 +7,8 @@
 
 use craft\elements\User;
 use craft\helpers\StringHelper;
+use craft\web\Response;
+
 use vaersaagod\toolmate\ToolMate;
 
 /**
@@ -44,32 +46,46 @@ public function hasNonce(string $directive, string $nonce): bool
     }
 
     /**
+     * @param Response $response
      * @return void
      */
-    public function setHeader(): void
+    public function setHeader(Response $response): void
     {
+
         $config = ToolMate::getInstance()?->getSettings()->csp;
+        $request = Craft::$app->getRequest();
 
         // Get directives
         $directivesConfig = $config->getDirectives();
 
-        if (Craft::$app->getRequest()->getIsSiteRequest()) {
+        if ($request->getIsSiteRequest()) {
             // If the Yii debug toolbar is visible on the front end, we unfortunately need to set the `unsafe-inline` policy for the script-src and style-src directive
+            // Also include them if the Yii error page is returned (i.e. it's an error response and dev mode is enabled)
             $currentUser = Craft::$app->getUser()->getIdentity();
-            if ($currentUser instanceof User && $currentUser->getPreference('enableDebugToolbarForSite')) {
+            if (($currentUser instanceof User && $currentUser->getPreference('enableDebugToolbarForSite')) || ($response->getStatusCode() >= 400 && Craft::$app->getConfig()->getGeneral()->devMode)) {
                 $directivesConfig->scriptSrc[] = "'unsafe-inline' 'unsafe-eval'";
                 $directivesConfig->styleSrc[] = "'unsafe-inline'";
             }
-        } elseif (Craft::$app->getRequest()->getIsCpRequest()) {
+        } elseif ($request->getIsCpRequest()) {
             // If this is a CP request, make sure some needed policies are included
             $directivesConfig->frameAncestors[] = "'self'";
             $directivesConfig->scriptSrc[] = "'unsafe-inline' 'unsafe-eval'";
             $directivesConfig->styleSrc[] = "'unsafe-inline'";
+            $directivesConfig->fontSrc[] = 'data:';
+            // Stripe
+            $directivesConfig->scriptSrc[] = 'https://js.stripe.com';
+            $directivesConfig->frameSrc[] = 'https://js.stripe.com';
+            // Make sure Craft domains are supported
+            $pluginStoreService = Craft::$app->getPluginStore();
+            $directivesConfig->connectSrc[] = 'https://' . parse_url($pluginStoreService->craftApiEndpoint, PHP_URL_HOST);
+            $directivesConfig->connectSrc[] = 'https://' . parse_url($pluginStoreService->craftIdEndpoint, PHP_URL_HOST);
+            $directivesConfig->connectSrc[] = 'https://' . parse_url($pluginStoreService->craftOauthEndpoint, PHP_URL_HOST);
+            $directivesConfig->imgSrc[] = 'https://*.craft-cdn.com';
         }
 
         // Convert directive names to kebab-case, remove duplicates, etc
         $directivesArray = $config->getDirectives()->toArray();
-        $directives = \array_reduce(\array_keys($directivesArray), static function(array $carry, string $field) use ($directivesArray) {
+        $directives = \array_reduce(\array_keys($directivesArray), static function (array $carry, string $field) use ($directivesArray) {
             $policy = \array_filter(\explode(' ', \implode(' ', $directivesArray[$field])));
             if (empty($policy)) {
                 return $carry;
@@ -90,7 +106,7 @@ public function setHeader(): void
             }
         }
 
-        // Clear nonces
+        // Clear memoized nonces
         $this->nonces = [];
 
         $cspValues = [];
@@ -101,10 +117,10 @@ public function setHeader(): void
         $csp = \implode('; ', $cspValues) . ';';
 
         if ($config->reportOnly) {
-            Craft::$app->getResponse()->getHeaders()->set('Content-Security-Policy-Report-Only', $csp);
+            $response->getHeaders()->set('Content-Security-Policy-Report-Only', $csp);
             return;
         }
 
-        Craft::$app->getResponse()->getHeaders()->set('Content-Security-Policy', $csp);
+        $response->getHeaders()->set('Content-Security-Policy', $csp);
     }
 }