fix: add nonce to script-src-elem and style-src-elem when configured (#9999)

michalsn · web-flow · commit 0fe15adf0c93 · 2026-02-24T21:26:37.000+01:00
diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
@@ -400,6 +400,10 @@ public function getStyleNonce(): string
         if ($this->styleNonce === null) {
             $this->styleNonce = base64_encode(random_bytes(12));
             $this->addStyleSrc('nonce-' . $this->styleNonce);
+
+            if ($this->styleSrcElem !== []) {
+                $this->addStyleSrcElem('nonce-' . $this->styleNonce);
+            }
         }
 
         return $this->styleNonce;
@@ -413,6 +417,10 @@ public function getScriptNonce(): string
         if ($this->scriptNonce === null) {
             $this->scriptNonce = base64_encode(random_bytes(12));
             $this->addScriptSrc('nonce-' . $this->scriptNonce);
+
+            if ($this->scriptSrcElem !== []) {
+                $this->addScriptSrcElem('nonce-' . $this->scriptNonce);
+            }
         }
 
         return $this->scriptNonce;
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -900,6 +900,48 @@ public function testGetStyleNonce(): void
         );
     }
 
+    public function testGetScriptNonceAddsNonceToScriptSrcElemWhenConfigured(): void
+    {
+        $this->csp->clearDirective('script-src-elem');
+        $this->csp->addScriptSrcElem('cdn.example.com');
+        $nonce = $this->csp->getScriptNonce();
+        $this->csp->finalize($this->response);
+
+        $directives = $this->getCspDirectives($this->response->getHeaderLine('Content-Security-Policy'));
+        $this->assertContains("script-src-elem cdn.example.com 'nonce-{$nonce}'", $directives);
+    }
+
+    public function testGetScriptNonceDoesNotAddNonceToScriptSrcElemWhenCleared(): void
+    {
+        $this->csp->clearDirective('script-src-elem');
+        $this->csp->getScriptNonce();
+        $this->csp->finalize($this->response);
+
+        $header = $this->response->getHeaderLine('Content-Security-Policy');
+        $this->assertStringNotContainsString('script-src-elem', $header);
+    }
+
+    public function testGetStyleNonceAddsNonceToStyleSrcElemWhenConfigured(): void
+    {
+        $this->csp->clearDirective('style-src-elem');
+        $this->csp->addStyleSrcElem('cdn.example.com');
+        $nonce = $this->csp->getStyleNonce();
+        $this->csp->finalize($this->response);
+
+        $directives = $this->getCspDirectives($this->response->getHeaderLine('Content-Security-Policy'));
+        $this->assertContains("style-src-elem cdn.example.com 'nonce-{$nonce}'", $directives);
+    }
+
+    public function testGetStyleNonceDoesNotAddNonceToStyleSrcElemWhenCleared(): void
+    {
+        $this->csp->clearDirective('style-src-elem');
+        $this->csp->getStyleNonce();
+        $this->csp->finalize($this->response);
+
+        $header = $this->response->getHeaderLine('Content-Security-Policy');
+        $this->assertStringNotContainsString('style-src-elem', $header);
+    }
+
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testHeaderScriptNonceEmittedOnceGetScriptNonceCalled(): void
diff --git a/user_guide_src/source/changelogs/v4.7.1.rst b/user_guide_src/source/changelogs/v4.7.1.rst
@@ -49,6 +49,7 @@ Bugs Fixed
 
 - **ContentSecurityPolicy:** Fixed a bug where custom CSP tags were not removed from generated HTML when CSP was disabled. The method now ensures that all custom CSP tags are removed from the generated HTML.
 - **ContentSecurityPolicy:** Fixed a bug where ``generateNonces()`` produces corrupted JSON responses by replacing CSP nonce placeholders with unescaped double quotes. The method now automatically JSON-escapes nonce attributes when the response Content-Type is JSON.
+- **ContentSecurityPolicy:** Fixed a bug where nonces generated by ``getScriptNonce()`` and ``getStyleNonce()`` were not added to the ``script-src-elem`` and ``style-src-elem`` directives, causing nonces to be silently ignored by browsers when those directives were present.
 - **Database:** Fixed a bug where ``BaseConnection::callFunction()`` could double-prefix already-prefixed function names.
 - **Database:** Fixed a bug where ``BasePreparedQuery::prepare()`` could mis-handle SQL containing colon syntax by over-broad named-placeholder replacement. It now preserves PostgreSQL cast syntax like ``::timestamp``.
 - **Model:** Fixed a bug where ``BaseModel::updateBatch()`` threw an exception when ``updateOnlyChanged`` was ``true`` and the index field value did not change.
