Skip to content

Added csp option on default script tag #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Debatty-Tom wants to merge 6 commits into
base: 2.x
Choose a base branch
from
Open

Added csp option on default script tag #98

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
b4a0790
Added csp option on default script tag
Debatty-Tom Oct 8, 2025
6efe10d
Refactor return script and add some complexity to the nonce
Debatty-Tom Oct 8, 2025
c902ac4
fix using csp nonce by passing it from the view to the default script…
Debatty-Tom Oct 20, 2025
2fbc9df
Removed unused import
Debatty-Tom Oct 21, 2025
0def872
fix parameters for blade directive
Debatty-Tom Nov 14, 2025
9bbe024
giving the nonce to the different generated script tags
Debatty-Tom Nov 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions config/cookieconsent.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,19 @@

'policy' => null,

/*
|--------------------------------------------------------------------------
| CSP configuration
|--------------------------------------------------------------------------
|
| Most cookie notices display a link to a dedicated page explaining
| the extended cookies usage policy. If your application has such a page
| you can add its route name here.
|
*/
Copy link
Member

@toonvandenbos toonvandenbos Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a specific description for the CSP configuration, including:

  • What it relates to (you may add a link to Spatie's CSP package)
  • How to configure it for Spatie's CSP package: env('CSP_ENABLE', false) && env('CSP_NONCE_ENABLED', true)


'csp_enable' => env('CSP_ENABLE', false),
Copy link
Member

@toonvandenbos toonvandenbos Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just set it to false by default. People using spatie's package should refer to the updated configuration description (see previous comment).


/* Google Analytics configuration
|--------------------------------------------------------------------------
|
Expand Down
9 changes: 9 additions & 0 deletions src/CookiesManager.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Cookie as CookieFacade;
use Illuminate\Support\Str;
Copy link
Member

@toonvandenbos toonvandenbos Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unused facade.

use Symfony\Component\HttpFoundation\Cookie as CookieComponent;

class CookiesManager
Expand Down Expand Up @@ -198,13 +199,21 @@ protected function getConsentedScripts(bool $withDefault): string

protected function getDefaultScriptTag(): string
{
$csp_enable = config('cookieconsent.csp_enable', false);

return '<script '
. 'src="' . route('cookieconsent.script') . '?id='
. md5(\filemtime(LCC_ROOT . '/dist/script.js')) . '" '
. ($csp_enable ? 'nonce="' . $this->generateCspNonce() . '" ' : '')
. 'defer'
. '></script>';
}

protected function generateCspNonce(): string
{
return bin2hex(random_bytes(16));
}

Copy link
Member

@toonvandenbos toonvandenbos Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Developers should be able to plug into this nonce generating behavior since their CSP setup could be completely different. For instance, when using spatie's package, one should be able to use the package's nonce_generator. In fact, I can't think of a single use case where the nonce generated by this package would be used.

/**
* Output the consent alert/modal for current consent state.
*/
Expand Down