Add missing style-src=unsafe-inline directive for site requests if the Yii debug bar is enabled. Bump to 1.3.1

mmikkel · mmikkel · commit 5df55f423d90 · 2022-05-12T23:05:47.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # ToolMate Changelog
 
+## 1.3.1 - 2022-05-12
+### Fixed
+- Fixed an issue where ToolMate failed to include the `'unsafe-inline'` policy resource for the `style-src` CSP directive to `unsafe-inline`, for site requests where the Yii debug toolbar is enabled  
+
 ## 1.3.0.3 - 2022-04-28
 ### Fixed
 - Fixed issue in Settings introduced in the Craft 4 refactoring.
diff --git a/composer.json b/composer.json
@@ -2,7 +2,7 @@
     "name": "vaersaagod/toolmate",
     "description": "Is that a tool in your pocket, or are you just happy to see me, mate?",
     "type": "craft-plugin",
-    "version": "1.3.0.3",
+    "version": "1.3.1",
     "keywords": [
         "craft",
         "cms",
diff --git a/src/services/CspService.php b/src/services/CspService.php
@@ -53,16 +53,18 @@ public function setHeader(): void
         // Get directives
         $directivesConfig = $config->getDirectives();
 
-        // If this is a CP request, make sure some needed policies are included
         if (Craft::$app->getRequest()->getIsSiteRequest()) {
-            // If the Yii debug toolbar is visible on the front end, we unfortunately need to set the `unsafe-inline` policy for the script-src directive
+            // If the Yii debug toolbar is visible on the front end, we unfortunately need to set the `unsafe-inline` policy for the script-src and style-src directive
             $currentUser = Craft::$app->getUser()->getIdentity();
             if ($currentUser instanceof User && $currentUser->getPreference('enableDebugToolbarForSite')) {
                 $directivesConfig->scriptSrc[] = "'unsafe-inline' 'unsafe-eval'";
+                $directivesConfig->styleSrc[] = "'unsafe-inline'";
             }
         } elseif (Craft::$app->getRequest()->getIsCpRequest()) {
+            // If this is a CP request, make sure some needed policies are included
             $directivesConfig->frameAncestors[] = "'self'";
             $directivesConfig->scriptSrc[] = "'unsafe-inline' 'unsafe-eval'";
+            $directivesConfig->styleSrc[] = "'unsafe-inline'";
         }
 
         // Convert directive names to kebab-case, remove duplicates, etc
