debugbar 3.15.1 conflicts with CSP policy

[fdelvals]

hello,

We have enabled a strict CSP policy which has been working fine with debugbar 3.14.x

Suddenly we have updated debugbar to 3.15.1 and this fails:

We have pinned 3.14 until a quickfix pops out.

[barryvdh]

Hmm, which CSP package are you using? Or how do you set your policy and CSP tag?

[parallels999]

maybe the new paths: https://github.com/php-debugbar/php-debugbar/pull/730/files

[barryvdh]

This is for laravel debugbar I think, looking at the version. That uses its own routes

[JeffreyTheTukkr]

@barryvdh Same issue here, expect that when I enable the middleware, debugbar will no longer be injected in the Inertia application, but the functionality (log files, etc) are still working. Might it be an idea to include a SCP check to at least give a warning in the Laravel log files?

AddContentSecurityPolicyHeaders.php

class AddContentSecurityPolicyHeaders {
    /**
     * Handle an incoming request.
     *
     * @param Request $request
     * @param Closure $next
     *
     * @return Response
     */
    public function handle(Request $request, Closure $next): Response {
        Vite::useCspNonce();

        if ($next($request) instanceof Response) {
            return $next($request)->withHeaders([
                'Content-Security-Policy' => "script-src 'nonce-".Vite::cspNonce()."'",
            ]);
        }

        throw new RuntimeException('Expected instance of Illuminate\Http\Request in handle AddContentSecurityPolicyHeaders middleware');
    }
}

Packages:

"inertiajs/inertia-laravel": "^2.0",
"laravel/framework": "^12.0",
"barryvdh/laravel-debugbar": "^3.15",