fix using csp nonce by passing it from the view to the default script…

… tag and added explanations in the readme
whitecube · Debatty-Tom · Oct 8, 2025 · Oct 8, 2025 · Oct 20, 2025 · Oct 21, 2025
commit c902ac4d3de469307b815c58336116c66936f65e
diff --git a/README.md b/README.md
@@ -439,6 +439,29 @@ $factors['years'] = [365, 'dayz'];
 
 More information on CarbonInterval's gotchas in [Constantin's blog post on chasingcode.dev](https://chasingcode.dev/blog/carbon-php-practical-examples/).
 
+### Content Security Policy
+
+This package supports CSP nonces for secure script loading. Pass your nonce to the @cookieconsentscripts directive:
+
+```blade
+{{-- Basic usage with nonce --}}
+@cookieconsentscripts($yourNonce)
+
+{{-- Example with Spatie Laravel CSP --}}
+@cookieconsentscripts(app('csp-nonce'))
+
+{{-- Without CSP --}}
+@cookieconsentscripts
+```
+
+How It Works
+
+When you provide a nonce, it's added to the script tag:
+
+```html
+<script src="/cookie-consent-script" nonce="your-nonce-here" defer></script>
+```
+
 ### Let your users change their mind
 
 Users should be able to change their consent settings at any time. No worries, with this package it is quite simple to achieve: generate a button that will reset the user's cookies and show the consent modal again.

diff --git a/config/cookieconsent.php b/config/cookieconsent.php
@@ -55,19 +55,6 @@
 
     'policy' => null,
 
-    /*
-    |--------------------------------------------------------------------------
-    | CSP configuration
-    |--------------------------------------------------------------------------
-    |
-    | Most cookie notices display a link to a dedicated page explaining
-    | the extended cookies usage policy. If your application has such a page
-    | you can add its route name here.
-    |
-    */
-
-    'csp_enable' => env('CSP_ENABLE', false),
-
     /* Google Analytics configuration
     |--------------------------------------------------------------------------
     |

diff --git a/src/CookiesManager.php b/src/CookiesManager.php
@@ -168,11 +168,11 @@ protected function makeConsentCookie(): CookieComponent
     /**
      * Output all the scripts for current consent state.
      */
-    public function renderScripts(bool $withDefault = true): string
+    public function renderScripts(bool $withDefault = true, ?string $nonce = null): string
     {
         $output = $this->shouldDisplayNotice()
-            ? $this->getNoticeScripts($withDefault)
-            : $this->getConsentedScripts($withDefault);
+            ? $this->getNoticeScripts($withDefault, $nonce)
+            : $this->getConsentedScripts($withDefault, $nonce);
 
         if(strlen($output)) {
             $output = '<!-- Cookie Consent -->' . $output;
@@ -181,14 +181,14 @@ public function renderScripts(bool $withDefault = true): string
         return $output;
     }
 
-    public function getNoticeScripts(bool $withDefault): string
+    public function getNoticeScripts(bool $withDefault, ?string $nonce = null): string
     {
-        return $withDefault ? $this->getDefaultScriptTag() : '';
+        return $withDefault ? $this->getDefaultScriptTag($nonce) : '';
     }
 
-    protected function getConsentedScripts(bool $withDefault): string
+    protected function getConsentedScripts(bool $withDefault, ?string $nonce = null): string
     {
-        $output = $this->getNoticeScripts($withDefault);
+        $output = $this->getNoticeScripts($withDefault, $nonce);
 
         foreach ($this->getConsentResponse()->getResponseScripts() ?? [] as $tag) {
             $output .= $tag;
@@ -197,23 +197,16 @@ protected function getConsentedScripts(bool $withDefault): string
         return $output;
     }
 
-    protected function getDefaultScriptTag(): string
+    protected function getDefaultScriptTag(?string $nonce = null): string
     {
-        $csp_enable = config('cookieconsent.csp_enable', false);
-
         return '<script '
             . 'src="' . route('cookieconsent.script') . '?id='
-            . md5(\filemtime(LCC_ROOT . '/dist/script.js')) . '" '
-            . ($csp_enable ? 'nonce="' . $this->generateCspNonce() . '" ' : '')
+            .  md5(\filemtime(LCC_ROOT . '/dist/script.js')) . '" '
+            . ($nonce ? 'nonce="' . $nonce . '" ' : '')
             . 'defer'
             . '></script>';
     }
 
-    protected function generateCspNonce(): string
-    {
-        return bin2hex(random_bytes(16));
-    }
-
     /**
      * Output the consent alert/modal for current consent state.
      */

diff --git a/src/ServiceProvider.php b/src/ServiceProvider.php
@@ -64,9 +64,8 @@ public function boot()
     protected function registerBladeDirectives()
     {
         Blade::directive('cookieconsentscripts', function (string $expression) {
-            return '<?php echo ' . Facades\Cookies::class . '::renderScripts(' . $expression . '); ?>';
+            return '<?php echo ' . Facades\Cookies::class . '::renderScripts(!empty($expression) ? true, ' . $expression . ' : ""); ?>';
         });
-
         Blade::directive('cookieconsentview', function (string $expression) {
             return '<?php echo ' . Facades\Cookies::class . '::renderView(); ?>';
         });