Option to use debugbar with content-security-policy headers (barryvdh#569)

* Option to use debugbar with content-security-policy headers

* Update default value for csp-compatible

Users that have don't update the config file will use this default,

Author: Ricky-rick

config/debugbar.php

@@ -164,6 +164,17 @@
         ],
     ],
 
+    /*
+     |--------------------------------------------------------------------------
+     | Content security policy compatible
+     |--------------------------------------------------------------------------
+     |
+     | If you have set a content security policy in your header you need to set
+     | this variable to true. You need to add "img-src:'self' data:" to your
+     | csp header. Note: Storage needs to be enabled for this to work.
+     |
+     */
+    'csp-compatible' => false,
     /*
      |--------------------------------------------------------------------------
      | Inject Debugbar in Response

src/Controllers/AssetController.php

@@ -44,6 +44,17 @@ public function css()
         return $this->cacheResponse($response);
     }
 
+    public function init()
+    {
+        $renderer = $this->debugbar->getJavascriptRenderer();
+        $content = $renderer->renderInitScript();
+        $response = new Response(
+            $content, 200, [
+                'Content-Type' => 'text/javascript',
+            ]
+        );
+        return $this->cacheResponse($response);
+    }
     /**
      * Cache the response 1 year (31536000 sec)
      */

src/JavascriptRenderer.php

@@ -75,6 +75,16 @@ protected function getInlineHtml()
 
         return $html;
     }
+    protected function getJsInitializationCode()
+    {
+        $js = '';
+        if ($this->isJqueryNoConflictEnabled()) {
+            $js .= 'jQuery.noConflict(true);' . "\n";
+        }
+
+        return $js . parent::getJsInitializationCode();
+    }
+
     /**
      * Get the last modified time of any assets.
      *
@@ -113,6 +123,24 @@ public function dumpAssetsToString($type)
         return $content;
     }
 
+    /**
+     * Return the init script as a string
+     *
+     * @return string
+     */
+    public function renderInitScript()
+    {
+        $openHandlerUrl = route('debugbar.openhandler');
+        $this->setOpenHandlerUrl($openHandlerUrl);
+        $content = $this->getJsInitializationCode();
+        $content .= sprintf(
+            "%s.loadDataSet($(\"span[data-debugbar-id]\").attr(\"data-debugbar-id\"), \"(ajax)\");\n",
+            $this->variableName,
+            $this->openHandlerClass,
+            json_encode(array("url" => $this->openHandlerUrl))
+        );
+        return $content;
+    }
     /**
      * Makes a URI relative to another
      *

src/LaravelDebugbar.php

@@ -730,6 +730,12 @@ public function modifyResponse(Request $request, Response $response)
             } catch (\Exception $e) {
                 $app['log']->error('Debugbar exception: ' . $e->getMessage());
             }
+        } elseif ($app['config']->get('debugbar.inject', true) && $app['config']->get('debugbar.csp-compatible', false)) {
+            try {
+                $this->injectDebugbarCSP($response);
+            } catch (\Exception $e) {
+                $app['log']->error('Debugbar exception: ' . $e->getMessage());
+            }
         } elseif ($app['config']->get('debugbar.inject', true)) {
             try {
                 $this->injectDebugbar($response);
@@ -861,6 +867,43 @@ public function injectDebugbar(Response $response)
         $response->headers->remove('Content-Length');
     }
 
+    public function injectDebugbarCSP(Response $response)
+    {
+        if (!$this->app['config']->get('debugbar.storage.enabled')) {
+            throw new \Exception('Store needs to be enabled for content security policy');
+        }
+        //collect and store data
+        $this->collect();
+
+        $content = $response->getContent();
+
+        $renderer = $this->getJavascriptRenderer();
+        if ($this->getStorage()) {
+            $openHandlerUrl = route('debugbar.openhandler');
+            $renderer->setOpenHandlerUrl($openHandlerUrl);
+        }
+
+        $initRoute = route('debugbar.assets.init', [
+            'v' => filemtime(config_path('debugbar.php'))
+        ]);
+	
+	$initRoute = preg_replace('/\Ahttps?:/', '', $initRoute);
+	
+        $scriptContent = $renderer->renderHead() .
+            "<span data-debugbar-id='{$this->getCurrentRequestId()}'></span> 
+            <script type='text/javascript' src='{$initRoute}'></script>";
+
+        $pos = strripos($content, '</body>');
+        if (false !== $pos) {
+            $content = substr($content, 0, $pos) . $scriptContent . substr($content, $pos);
+        } else {
+            $content = $content . $scriptContent;
+        }
+
+        // Update the new content and reset the content length
+        $response->setContent($content);
+        $response->headers->remove('Content-Length');
+    }
     /**
      * Disable the Debugbar
      */

src/ServiceProvider.php

@@ -94,6 +94,11 @@ public function boot()
                 'as' => 'debugbar.assets.js',
             ]);
 
+            $router->get('assets/init', [
+                'uses' => 'AssetController@init',
+                'as' => 'debugbar.assets.init',
+            ]);
+
             $router->delete('cache/{key}/{tags?}', [
                 'uses' => 'CacheController@delete',
                 'as' => 'debugbar.cache.delete',