A browser Content Security Policy without `unsafe-inline` block Yii Debug scripts


### What steps will reproduce the problem?
Implement a browser Content Security Policy  _without_ `unsafe-inline`.

### What is the expected result?
The Yii debug toolbar should still appear, but it doesn't.

### What do you get instead?
The browser blocks the Yii debug toolbar's inline scripts as a security policy risk and prevents them from running.

A fix would be to allow a nonce or hash to be set against the scripts.

As a workaround, we fixed by extending `\yii\debug\Module`, and then output buffering the `renderToolbar()` and using `str_replace()` to inject a nonce into the script/style tags.


### Additional info

| Q                | A
| ---------------- | ---
| Version          | 2.1.25
| PHP version      | 8.3
| Operating system | Mac: Safari, Firefox, Chrome


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

A browser Content Security Policy without `unsafe-inline` block Yii Debug scripts #289

What steps will reproduce the problem?

What is the expected result?

What do you get instead?

Additional info

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Q	A
Version	2.1.25
PHP version	8.3
Operating system	Mac: Safari, Firefox, Chrome

Uh oh!

A browser Content Security Policy without unsafe-inline block Yii Debug scripts #289

Description

What steps will reproduce the problem?

What is the expected result?

What do you get instead?

Additional info

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

A browser Content Security Policy without `unsafe-inline` block Yii Debug scripts #289