Add CSP support to Javascript renderer (php-debugbar#439)

* Add CSP support to Javascript renderer

* Use parameters to set CSP nonce

Author: barryvdh

src/DebugBar/JavascriptRenderer.php

@@ -82,6 +82,8 @@ class JavascriptRenderer
 
     protected $openHandlerUrl;
 
+    protected $cspNonce;
+
     /**
      * @param \DebugBar\DebugBar $debugBar
      * @param string $baseUrl
@@ -183,6 +185,9 @@ public function setOptions(array $options)
         if (array_key_exists('open_handler_url', $options)) {
             $this->setOpenHandlerUrl($options['open_handler_url']);
         }
+        if (array_key_exists('csp_nonce', $options)) {
+            $this->setCspNonce($options['csp_nonce']);
+        }
     }
 
     /**
@@ -606,6 +611,28 @@ public function getOpenHandlerUrl()
         return $this->openHandlerUrl;
     }
 
+    /**
+     * Sets the CSP Nonce (or remove it by setting to null)
+     *
+     * @param string|null $nonce
+     * @return $this
+     */
+    public function setCspNonce($nonce = null)
+    {
+        $this->cspNonce = $nonce;
+        return $this;
+    }
+
+    /**
+     * Get the CSP Nonce
+     *
+     * @return string|null
+     */
+    public function getCspNonce()
+    {
+        return $this->cspNonce;
+    }
+
     /**
      * Add assets stored in files to render in the head
      *
@@ -905,6 +932,8 @@ public function renderHead()
         list($cssFiles, $jsFiles, $inlineCss, $inlineJs, $inlineHead) = $this->getAssets(null, self::RELATIVE_URL);
         $html = '';
 
+        $nonce = $this->getNonceAttribute();
+
         foreach ($cssFiles as $file) {
             $html .= sprintf('<link rel="stylesheet" type="text/css" href="%s">' . "\n", $file);
         }
@@ -918,15 +947,15 @@ public function renderHead()
         }
 
         foreach ($inlineJs as $content) {
-            $html .= sprintf('<script type="text/javascript">%s</script>' . "\n", $content);
+            $html .= sprintf('<script type="text/javascript" %s>%s</script>' . "\n", $nonce, $content);
         }
 
         foreach ($inlineHead as $content) {
             $html .= $content . "\n";
         }
 
         if ($this->enableJqueryNoConflict && !$this->useRequireJs) {
-            $html .= '<script type="text/javascript">jQuery.noConflict(true);</script>' . "\n";
+            $html .= '<script type="text/javascript"' . $nonce . '>jQuery.noConflict(true);</script>' . "\n";
         }
 
         return $html;
@@ -1013,10 +1042,12 @@ public function render($initialize = true, $renderStackedData = true)
         $suffix = !$initialize ? '(ajax)' : null;
         $js .= $this->getAddDatasetCode($this->debugBar->getCurrentRequestId(), $this->debugBar->getData(), $suffix);
 
+        $nonce = $this->getNonceAttribute();
+
         if ($this->useRequireJs){
-            return "<script type=\"text/javascript\">\nrequire(['debugbar'], function(PhpDebugBar){ $js });\n</script>\n";
+            return "<script type=\"text/javascript\" {$nonce}>\nrequire(['debugbar'], function(PhpDebugBar){ $js });\n</script>\n";
         } else {
-            return "<script type=\"text/javascript\">\n$js\n</script>\n";
+            return "<script type=\"text/javascript\" {$nonce}>\n$js\n</script>\n";
         }
 
     }
@@ -1149,4 +1180,17 @@ protected function getAddDatasetCode($requestId, $data, $suffix = null)
         );
         return $js;
     }
+
+    /**
+     * If a nonce it set, create the correct attribute
+     * @return string
+     */
+    protected function getNonceAttribute()
+    {
+        if ($nonce = $this->getCspNonce()) {
+            return 'nonce="' . $nonce .'"';
+        }
+
+        return '';
+    }
 }