What steps will reproduce the problem?
Implement a browser Content Security Policy without unsafe-inline.
What is the expected result?
The Yii debug toolbar should still appear, but it doesn't.
What do you get instead?
The browser blocks the Yii debug toolbar's inline scripts as a security policy risk and prevents them from running.
A fix would be to allow a nonce or hash to be set against the scripts.
As a workaround, we fixed by extending \yii\debug\Module, and then output buffering the renderToolbar() and using str_replace() to inject a nonce into the script/style tags.
Additional info
| Q |
A |
| Version |
2.1.25 |
| PHP version |
8.3 |
| Operating system |
Mac: Safari, Firefox, Chrome |
What steps will reproduce the problem?
Implement a browser Content Security Policy without
unsafe-inline.What is the expected result?
The Yii debug toolbar should still appear, but it doesn't.
What do you get instead?
The browser blocks the Yii debug toolbar's inline scripts as a security policy risk and prevents them from running.
A fix would be to allow a nonce or hash to be set against the scripts.
As a workaround, we fixed by extending
\yii\debug\Module, and then output buffering therenderToolbar()and usingstr_replace()to inject a nonce into the script/style tags.Additional info