Merge pull request #382 from TheFRedFox/master

Removed inline javascript and style code to support Content Security Policy

Author: markstory

src/Controller/RequestsController.php

@@ -36,6 +36,8 @@ public function beforeFilter(Event $event)
         if (!Configure::read('debug')) {
             throw new NotFoundException();
         }
+
+        $this->response->header(['Content-Security-Policy' => '']);
     }
 
     /**

src/Routing/Filter/DebugBarFilter.php

@@ -233,8 +233,7 @@ protected function _injectScripts($id, $response)
             return;
         }
         $url = Router::url('/', true);
-        $script = "<script>var __debug_kit_id = '${id}', __debug_kit_base_url = '${url}';</script>";
-        $script .= '<script src="' . Router::url('/debug_kit/js/toolbar.js') . '"></script>';
+        $script = "<script id=\"__debug_kit\" data-id=\"{$id}\" data-url=\"{$url}\" src=\"" . Router::url('/debug_kit/js/toolbar.js') . '"></script>';
         $body = substr($body, 0, $pos) . $script . substr($body, $pos);
         $response->body($body);
     }

src/Template/Layout/toolbar.ctp

@@ -13,5 +13,5 @@
     </body>
     <?= $this->Html->script('DebugKit.jquery') ?>
     <?= $this->Html->script('DebugKit.toolbar-app') ?>
-    <?= $this->fetch('scripts') ?>
+    <?= $this->fetch('script') ?>
 </html>

src/Template/Requests/view.ctp

@@ -12,7 +12,7 @@ use Cake\Core\Configure;
 
 <ul id="toolbar" class="toolbar">
     <?php foreach ($toolbar->panels as $panel): ?>
-    <li class="panel" data-id="<?= $panel->id ?>" style="display: none;">
+    <li class="panel hidden" data-id="<?= $panel->id ?>">
         <span class="panel-button">
             <?= h($panel->title) ?>
         </span>
@@ -28,25 +28,4 @@ use Cake\Core\Configure;
 			['alt' => 'Debug Kit', 'title' => 'CakePHP ' . Configure::version() . ' Debug Kit']) ?>
     </li>
 </ul>
-<?php $this->start('scripts') ?>
-<script>
-var baseUrl = "<?= Router::url('/', true) ?>";
-var toolbar;
-
-$(document).ready(function() {
-    toolbar = new Toolbar({
-        button: $('#toolbar'),
-        content: $('#panel-content-container'),
-        panelButtons: $('.panel'),
-        panelClose: $('#panel-close'),
-        keyboardScope : $(document),
-        currentRequest: '<?= $toolbar->id ?>',
-        originalRequest: '<?= $toolbar->id ?>',
-        baseUrl: <?= json_encode($this->Url->build('/')) ?>
-    });
-
-    toolbar.initialize();
-
-});
-</script>
-<?php $this->end() ?>
+<?php $this->Html->script('DebugKit.debug_kit', ['block' => true, 'id' => '__debug_kit', 'data-id' => $toolbar->id, 'data-url' => json_encode($this->Url->build('/')), 'data-full-url' => Router::url('/', true)]) ?>

tests/TestCase/Routing/Filter/DebugBarFilterTest.php

@@ -146,9 +146,8 @@ public function testAfterDispatchSavesData()
         $this->assertEquals('Sql Log', $result->panels[7]->title);
 
         $expected = '<html><title>test</title><body><p>some text</p>' .
-            "<script>var __debug_kit_id = '" . $result->id . "', " .
-            "__debug_kit_base_url = 'http://localhost/';</script>" .
-            '<script src="/debug_kit/js/toolbar.js"></script>' .
+            '<script id="__debug_kit" data-id="' . $result->id . '" ' .
+            'data-url="http://localhost/" src="/debug_kit/js/toolbar.js"></script>' .
             '</body>';
         $this->assertTextEquals($expected, $response->body());
     }

webroot/css/toolbar.css

@@ -65,6 +65,10 @@ p {
 	overflow: auto;
 }
 
+.hidden {
+    display: none;
+}
+
 /* Open close button */
 #panel-button,
 .panel {

webroot/js/debug_kit.js

@@ -0,0 +1,25 @@
+var baseUrl, toolbar;
+
+var elem = document.getElementById("__debug_kit");
+if (elem) {
+    window.__debug_kit_id = elem.getAttribute("data-id");
+    window.__debug_kit_base_url = elem.getAttribute("data-url");
+    baseUrl = elem.getAttribute("data-full-url");
+    elem = null;
+}
+
+$(document).ready(function() {
+    toolbar = new Toolbar({
+        button: $('#toolbar'),
+        content: $('#panel-content-container'),
+        panelButtons: $('.panel'),
+        panelClose: $('#panel-close'),
+        keyboardScope : $(document),
+        currentRequest: __debug_kit_id,
+        originalRequest: __debug_kit_id,
+        baseUrl: __debug_kit_base_url
+    });
+
+    toolbar.initialize();
+
+});

webroot/js/toolbar.js

@@ -1,3 +1,11 @@
+var __debug_kit_id, __debug_kit_base_url;
+var elem = document.getElementById("__debug_kit");
+if (elem) {
+    __debug_kit_id = elem.getAttribute("data-id");
+    __debug_kit_base_url = elem.getAttribute("data-url");
+    elem = null;
+}
+
 (function(win, doc) {
 	var iframe;
 	var bodyOverflow;
@@ -29,7 +37,13 @@
 		}
 		var body = doc.body;
 		iframe = doc.createElement('iframe');
-		iframe.setAttribute('style', 'position: fixed; bottom: 0; right: 0; border: 0; outline: 0; overflow: hidden; z-index: 99999;');
+        iframe.style.position = 'fixed';
+        iframe.style.bottom = 0;
+        iframe.style.right = 0;
+        iframe.style.border = 0;
+        iframe.style.outline = 0;
+        iframe.style.overflow = 'hidden';
+        iframe.style.zIndex = 99999;
 		iframe.height = 40;
 		iframe.width = 40;
 		iframe.src = __debug_kit_base_url + 'debug_kit/toolbar/' + __debug_kit_id;