Skip to content

WIP: CSP Support#19230

Draft
4513 wants to merge 10 commits intofilamentphp:4.xfrom
4513:dev/mibo/csp
Draft

WIP: CSP Support#19230
4513 wants to merge 10 commits intofilamentphp:4.xfrom
4513:dev/mibo/csp

Conversation

@4513
Copy link

@4513 4513 commented Feb 8, 2026

Description

As discussed in #7032, this PR adds a support for CSP.

The PR is in WIP state as more commits will be made.

Visual changes

There are no visual changes expected to happen - an end user must not notice any change.

Functional changes

  • Code style has been fixed by running the composer cs command.
  • Changes have been tested to not break existing functionality.
  • Documentation is up-to-date.

@github-project-automation github-project-automation bot moved this to Todo in Roadmap Feb 8, 2026
@4513
Copy link
Author

4513 commented Feb 8, 2026

Initialize commit

This commit creates a new API for developer to:

  • configure CSP nonce for the application using Filament facade method 'useCspNonce'
    • it is expected to define the nonce using a closure within a ServiceProvider. An example using Spatie's library would be 'Filament::useCspNonce(static fn (): string => csp_nonce());`
    • the user is expected to configure Livewire too, following their documentation
  • to access and print CSP nonce into Blade templates
    • example: <script nonce="{{ \Filament\csp_nonce() }}"></script>

Nonces to current elements commit

To all style and script elements defined in Filament Blade templates a nonce has been added.

Simple inlines to elements commit

Simple inline style attributes has been moved to their own style elements with nonce. Most classes are either internal (predefined) or unique (randomly generated, not expected to be used more than once).

This commit does not edit x-bind:style

danharrin
danharrin requested changes Feb 9, 2026
View reviewed changes
Copy link
Member

@danharrin danharrin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I said here #7032 (reply in thread), I don't think we should focus on CSP style support: it looks like most of the changes here are related to that. I do not think it's supported in Livewire / Alpine / TipTap. Should we not be focusing on inline scripts?

@github-project-automation github-project-automation bot moved this from Todo to In Progress in Roadmap Feb 9, 2026
@danharrin danharrin added the enhancement New feature or request label Feb 9, 2026
@danharrin danharrin added this to the v4 milestone Feb 9, 2026
@4513
Copy link
Author

4513 commented Feb 9, 2026

While making the library CSP compliant, I am trying to solve all issues that both are now relevant now and may be relevant in the future. I can undo the commit that focuses on inline styles tho.

The next steps will be focused on inline scripts, x-data attribute and pushing current CSP nonce via 'livewire/update' requests.

@danharrin
Copy link
Member

danharrin commented Feb 9, 2026

Please undo all style-related changes. While I appreciate the endeavour to solve everything, this will already be a large PR that is difficult to safely review, and including styles is going to increase the surface area when they aren't even able to be used.

4513 added 2 commits February 9, 2026 09:43
@4513
Revert "Merge branch 'dev/mibo/csp-part/simple-inlines-to-elems' into…
42cbac5 
… dev/mibo/csp"

This reverts commit fae3acb, reversing
changes made to 5fce027.
@4513
Revert "Merge branch 'dev/mibo/csp-part/simple-inlines-to-elems' into…
9b67c80 
… dev/mibo/csp"

This reverts commit 5fce027, reversing
changes made to 6084a07.
@danharrin
Copy link
Member

danharrin commented Feb 28, 2026

Hi @4513, any update on this? Just want to make sure this doesn't go stale, or I would rather the PR was opened once it was ready for review. No expectations to finish if you don't want to, but if not I would rather close it. Thanks.

@m-develops
Copy link

m-develops commented Mar 10, 2026

@4513 Need any help? Perhaps if we could divide the work we can make this work together?
Feel free to send me a PM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danharrin danharrin danharrin requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

Roadmap
Status: In Progress

Milestone

v4

Development

Successfully merging this pull request may close these issues.

3 participants

@4513 @danharrin @m-develops