Addressing the case when both $CSPEnabled and $autoNonce are false.

patel-vansh · patel-vansh · commit 68084298965b · 2026-02-12T14:54:24.000+05:30
diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
@@ -429,6 +429,14 @@ public function finalize(ResponseInterface $response)
     {
         if ($this->autoNonce) {
             $this->generateNonces($response);
+        } else {
+            // If we're not auto-generating nonces, we should remove any nonce placeholders from the body to prevent them from being rendered.
+            $body = (string) $response->getBody();
+
+            if ($body !== '') {
+                $body = str_replace([$this->styleNonceTag, $this->scriptNonceTag], '', $body);
+                $response->setBody($body);
+            }
         }
 
         $this->buildHeaders($response);
diff --git a/tests/system/HTTP/ResponseTest.php b/tests/system/HTTP/ResponseTest.php
@@ -698,4 +698,36 @@ public function testSendRemovesMultiplePlaceholdersWhenCSPDisabled(): void
         $this->assertStringContainsString('<style >.test{}</style>', $actual);
         $this->assertStringContainsString('<style >.test2{}</style>', $actual);
     }
+
+    public function testSendRemovesPlaceholdersWhenBothCSPAndAutoNonceAreDisabled(): void
+    {
+        $appConfig             = new App();
+        $appConfig->CSPEnabled = false;
+
+        // Create custom CSP config with custom nonce tags
+        $cspConfig            = new \Config\ContentSecurityPolicy();
+        $cspConfig->autoNonce = false;
+
+        $response = new Response($appConfig);
+        $response->pretend(true);
+
+        // Inject the custom CSP config
+        $reflection  = new ReflectionClass($response);
+        $cspProperty = $reflection->getProperty('CSP');
+        $cspProperty->setValue($response, new ContentSecurityPolicy($cspConfig));
+
+        $body = '<html><script {csp-script-nonce}>test()</script><style {csp-style-nonce}>.x{}</style></html>';
+        $response->setBody($body);
+
+        ob_start();
+        $response->send();
+        $actual = ob_get_clean();
+
+        // Custom nonce placeholders should be removed when CSP is disabled
+        $this->assertIsString($actual);
+        $this->assertStringNotContainsString('{csp-script-nonce}', $actual);
+        $this->assertStringNotContainsString('{csp-style-nonce}', $actual);
+        $this->assertStringContainsString('<script >test()</script>', $actual);
+        $this->assertStringContainsString('<style >.x{}</style>', $actual);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -429,6 +429,14 @@ public function finalize(ResponseInterface $response)`
`429`	`429`	`{`
`430`	`430`	`if ($this->autoNonce) {`
`431`	`431`	`$this->generateNonces($response);`
	`432`	`+ } else {`
	`433`	`+ // If we're not auto-generating nonces, we should remove any nonce placeholders from the body to prevent them from being rendered.`
	`434`	`+ $body = (string) $response->getBody();`
	`435`	`+`
	`436`	`+ if ($body !== '') {`
	`437`	`+ $body = str_replace([$this->styleNonceTag, $this->scriptNonceTag], '', $body);`
	`438`	`+ $response->setBody($body);`
	`439`	`+ }`
`432`	`440`	`}`
`433`	`441`
`434`	`442`	`$this->buildHeaders($response);`