diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php index 36292621397e..4f912a8ea011 100644 --- a/system/HTTP/ContentSecurityPolicy.php +++ b/system/HTTP/ContentSecurityPolicy.php @@ -300,11 +300,10 @@ public function getScriptNonce(): string */ public function finalize(ResponseInterface $response) { - if ($this->autoNonce === false) { - return; + if ($this->autoNonce) { + $this->generateNonces($response); } - $this->generateNonces($response); $this->buildHeaders($response); } diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php index 7542ed5a1934..19d720d9f49b 100644 --- a/tests/system/HTTP/ContentSecurityPolicyTest.php +++ b/tests/system/HTTP/ContentSecurityPolicyTest.php @@ -12,6 +12,7 @@ namespace CodeIgniter\HTTP; use CodeIgniter\Test\CIUnitTestCase; +use CodeIgniter\Test\TestResponse; use Config\App; use Config\ContentSecurityPolicy as CSPConfig; @@ -533,6 +534,9 @@ public function testBodyScriptNonceDisableAutoNonce() $csp->finalize($response); $this->assertStringContainsString('{csp-script-nonce}', $response->getBody()); + + $result = new TestResponse($response); + $result->assertHeader('Content-Security-Policy'); } public function testBodyStyleNonceDisableAutoNonce() @@ -549,6 +553,9 @@ public function testBodyStyleNonceDisableAutoNonce() $csp->finalize($response); $this->assertStringContainsString('{csp-style-nonce}', $response->getBody()); + + $result = new TestResponse($response); + $result->assertHeader('Content-Security-Policy'); } /** diff --git a/user_guide_src/source/changelogs/v4.2.7.rst b/user_guide_src/source/changelogs/v4.2.7.rst index 317d2a455a9d..721ee4b62732 100644 --- a/user_guide_src/source/changelogs/v4.2.7.rst +++ b/user_guide_src/source/changelogs/v4.2.7.rst @@ -33,6 +33,6 @@ none. Bugs Fixed ********** -none. +- Fixed a bug that prevents CSP headers from being sent when ``Config\ContentSecurityPolicy::$autoNonce`` is false. See the repo's `CHANGELOG.md `_ for a complete list of bugs fixed.