grokability · ShadowJonathan · Sep 12, 2025 · Sep 12, 2025 · Sep 12, 2025 · Sep 12, 2025
@@ -81,20 +81,68 @@ public function handle($request, Closure $next)
         // and it will break things.
 
         if ((config('app.debug') != 'true') && (config('app.enable_csp') == 'true')) {
-            $csp_policy[] = "default-src 'self'";
-            $csp_policy[] = "style-src 'self' 'unsafe-inline'";
-            $csp_policy[] = "script-src 'self' 'unsafe-inline' 'unsafe-eval'";
-            $csp_policy[] = "connect-src 'self'";
-            $csp_policy[] = "object-src 'none'";
-            $csp_policy[] = "font-src 'self' data:";
-            $csp_policy[] = "img-src 'self' data: ".config('app.url').' '.config('app.additional_csp_urls').' '.env('PUBLIC_AWS_URL').' https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com';
-
+            ## start lax CSP
+
+            $laxCspPolicy[] = "default-src 'self'";
+            $laxCspPolicy[] = "style-src 'self' 'unsafe-inline'";
+            $laxCspPolicy[] = "script-src 'self' 'unsafe-inline' 'unsafe-eval'";
+            $laxCspPolicy[] = "connect-src 'self'";
+            $laxCspPolicy[] = "object-src 'none'";
+            $laxCspPolicy[] = "font-src 'self' data:";
+            $laxCspPolicy[] = "img-src 'self' data: " . config('app.url') . ' ' . config('app.additional_csp_urls') . ' ' . env('PUBLIC_AWS_URL') . ' https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com';
+
+            if (config('filesystems.disks.public.driver') == 's3') {
+                $laxCspPolicy[] = "img-src 'self' data:  " . config('filesystems.disks.public.url');
+            }
+
+            ## end lax CSP
+
+            ## start strict CSP
+
+            $strictCspPolicy[] = "default-src 'self'";
+            // FIXME: There is a LOT of dynamically loaded inline styles into elements, so this isn't going to work for now...
+            // $strictCspPolicy[] = "style-src 'self' 'nonce-" . csrf_token() . "'";
+            $strictCspPolicy[] = "style-src 'self' 'unsafe-inline'";
+            $strictCspPolicy[] = "script-src 'self' 'nonce-" . csrf_token() . "'";
+            $strictCspPolicy[] = "connect-src 'self'";
+            $strictCspPolicy[] = "base-uri 'self'";
+            $strictCspPolicy[] = "form-action 'self'";
+            $strictCspPolicy[] = "object-src 'none'";
+            $strictCspPolicy[] = "font-src 'self' data:";
+            $strictCspPolicy[] = "img-src 'self' data: " . config('app.url') . ' ' . config('app.additional_csp_urls') . ' ' . env('PUBLIC_AWS_URL') . ' https://secure.gravatar.com https://gravatar.com https://maps.google.com https://maps.gstatic.com https://*.googleapis.com';
+
             if (config('filesystems.disks.public.driver') == 's3') {
-               $csp_policy[] = "img-src 'self' data:  ".config('filesystems.disks.public.url');
+                $strictCspPolicy[] = "img-src 'self' data:  " . config('filesystems.disks.public.url');
+            }
+
+            if (config('allow_iframing') == false) {
+                $strictCspPolicy[] = "frame-ancestors 'none'";
+            }
+
+            ## end strict CSP
+
+            if (!empty(config('csp_report_to'))) {
+                $cspReportToUri = config('csp_report_to');
+
+                $response->headers->set('Reporting-Endpoints', 'csp-endpoint="' . $cspReportToUri . '"');
+
+                $cspReportTo[] = "report-to csp-endpoint";
+                $cspReportTo[] = "report-uri " . $cspReportToUri;
+
+                $laxCspPolicy = array_merge($laxCspPolicy, $cspReportTo);
+                $strictCspPolicy = array_merge($strictCspPolicy, $cspReportTo);
+            }
+
+            $laxCspPolicy = join(';', $laxCspPolicy);
+            $strictCspPolicy = join(';', $strictCspPolicy);
+
+            if (config('enable_strict_csp') == true) {
+                $response->headers->set('Content-Security-Policy', $strictCspPolicy);
+            } else {
+                $response->headers->set('Content-Security-Policy', $laxCspPolicy);
             }
-            $csp_policy = join(';', $csp_policy);
 
-            $response->headers->set('Content-Security-Policy', $csp_policy);
+            $response->headers->set('Content-Security-Policy-Report-Only', $strictCspPolicy);
         }
 
         return $response;

@@ -201,8 +201,11 @@
 
     'enable_csp' => env('ENABLE_CSP', true),
 
+    'enable_strict_csp' => env('ENABLE_STRICT_CSP', false),
+
     'additional_csp_urls' => env('ADDITIONAL_CSP_URLS', ''),
 
+    'csp_report_to' => env("CSP_REPORT_TO", null),
 
 
     /*

@@ -160,7 +160,17 @@ $(function () {
         return false;
     });
 
+    $el.on('click', '.js-suppress-click', function () {
+        return false;
+    });
+
+    $el.on('submit', '.js-suppress-submit', function () {
+        return false;
+    });
 
+    $el.on('focus', '.js-allow-write-on-focus', function () {
+        this.removeAttribute('readonly');
+    });
 
      /*
      * Select2

@@ -334,7 +334,7 @@ class="table table-striped snipe-table"
         @can('delete', $accessory)
             @if ($accessory->checkouts_count == 0)
                 <div class="text-center" style="padding-top:5px;">
-                    <button class="btn btn-block btn-danger btn-sm btn-social delete-asset" style="padding-top:5px;" data-toggle="modal" data-title="{{ trans('general.delete') }}" data-content="{{ trans('general.delete_confirm_no_undo', ['item' => $accessory->name]) }}" data-target="#dataConfirmModal" onClick="return false;">
+                    <button class="btn btn-block btn-danger btn-sm btn-social delete-asset js-suppress-click" style="padding-top:5px;" data-toggle="modal" data-title="{{ trans('general.delete') }}" data-content="{{ trans('general.delete_confirm_no_undo', ['item' => $accessory->name]) }}" data-target="#dataConfirmModal">
                         <x-icon type="delete" />
                     {{ trans('general.delete') }}
                     </button>

@@ -4,7 +4,7 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <meta http-equiv="X-UA-Compatible" content="ie=edge">
-    <style>
+    <style nonce="{{ csrf_token() }}">
         body {
             font-family:'Dejavu Sans', Arial, Helvetica, sans-serif;
             font-size: 11px;

@@ -4,7 +4,7 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <meta http-equiv="X-UA-Compatible" content="ie=edge">
-    <style>
+    <style nonce="{{ csrf_token() }}">
         body {
             font-family:'Dejavu Sans', Arial, Helvetica, sans-serif;
             font-size: 11px;

@@ -4,7 +4,7 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <meta http-equiv="X-UA-Compatible" content="ie=edge">
-    <style>
+    <style nonce="{{ csrf_token() }}">
         body {
             font-family:'Dejavu Sans', Arial, Helvetica, sans-serif;
             font-size: 11px;

@@ -4,7 +4,7 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <meta http-equiv="X-UA-Compatible" content="ie=edge">
-    <style>
+    <style nonce="{{ csrf_token() }}">
         body {
             font-family:'Dejavu Sans', Arial, Helvetica, sans-serif;
             font-size: 11px;

@@ -4,7 +4,7 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <meta http-equiv="X-UA-Compatible" content="ie=edge">
-    <style>
+    <style nonce="{{ csrf_token() }}">
         body {
             font-family:'Dejavu Sans', Arial, Helvetica, sans-serif;
             font-size: 11px;

@@ -13,7 +13,7 @@
 
     <link rel="stylesheet" href="{{ url('css/signature-pad.min.css') }}">
 
-    <style>
+    <style nonce="{{ csrf_token() }}">
         .form-horizontal .control-label, .form-horizontal .radio, .form-horizontal .checkbox, .form-horizontal .radio-inline, .form-horizontal .checkbox-inline {
             padding-top: 17px;
             padding-right: 10px;

@@ -34,7 +34,7 @@
           <label for="user_id" class="control-label" style="margin-right: 10px;">
             {{ trans('general.view_user_assets') }}:
           </label>
-          <select name="user_id" id="user_id" class="form-control select2" onchange="this.form.submit()" style="width: 250px; display: inline-block;">
+          <select name="user_id" id="user_id" class="form-control select2" style="width: 250px; display: inline-block;">
             @foreach ($subordinates as $subordinate)
               <option value="{{ $subordinate->id }}" {{ (int)$selectedUserId === (int)$subordinate->id ? ' selected' : '' }}>
                 {{ $subordinate->display_name }}
@@ -44,6 +44,13 @@
               </option>
             @endforeach
           </select>
+          @push('js')
+          <script nonce="{{ csrf_token() }}">
+            $('#user_id').on('change', function (event) {
+              this.form.submit();
+            })
+          </script>
+          @endpush
         </div>
       </form>
     </div>

@@ -42,10 +42,19 @@
                             <button class="btn btn-lg btn-primary btn-block">{{ trans('general.submit')  }}</button>
                         </div>
                         <div class="col-md-12 col-sm-12 col-xs-12 text-right" style="padding-top: 10px;">
-                            <a href="{{ route('logout.get') }}" onclick="document.getElementById('logout-form').submit(); return false;">
+                            <a href="{{ route('logout.get') }}" id="2fa-logout-button">
                                 {{ trans('general.cancel')  }}
                             </a>
                         </div>
+
+                        @push('js')
+                        <script nonce="{{ csrf_token() }}">
+                            $("#2fa-logout-button").on('click', function(event) {
+                                document.getElementById('logout-form').submit();
+                                return false;
+                            })
+                        </script>
+                        @endpush
             </div>
             </form>
             <form id="logout-form" action="{{ route('logout.post') }}" method="POST" style="display: none;">

@@ -246,12 +246,16 @@ class="table table-striped snipe-table"
   @can('delete', $component)
         <div class="col-md-12 hidden-print" style="padding-top: 5px;">
           @if ($component->isDeletable())
-              <button class="btn btn-sm btn-block btn-danger btn-social delete-asset" data-icon="fa fa-trash" data-toggle="modal" data-title="{{ trans('general.delete') }}" data-content="{{ trans('general.sure_to_delete_var', ['item' => $component->name]) }}" data-target="#dataConfirmModal" onClick="return false;">
+          <button class="btn btn-sm btn-block btn-danger btn-social delete-asset js-suppress-click" data-icon="fa fa-trash"
+            data-toggle="modal" data-title="{{ trans('general.delete') }}"
+            data-content="{{ trans('general.sure_to_delete_var', ['item' => $component->name]) }}"
+            data-target="#dataConfirmModal">
               <x-icon type="delete" />
               {{ trans('general.delete') }}
             </button>
           @else
-            <a href="#" class="btn btn-block btn-sm btn-danger btn-social hidden-print disabled" data-tooltip="true"  data-placement="top" data-title="{{ trans('general.cannot_be_deleted') }}" onClick="return false;">
+          <a href="#" class="btn btn-block btn-sm btn-danger btn-social hidden-print disabled js-suppress-click"
+            data-tooltip="true" data-placement="top" data-title="{{ trans('general.cannot_be_deleted') }}">
               <x-icon type="delete" />
               {{ trans('general.delete') }}
             </a>

@@ -139,7 +139,7 @@
                   @can('delete', $consumable)
                     <div class="col-md-12" style="padding-top: 10px; padding-bottom: 20px">
                       @if ($consumable->deleted_at=='')
-                        <button class="btn btn-sm btn-block btn-danger btn-social hidden-print delete-asset" data-icon="fa fa-trash" data-toggle="modal" data-title="{{ trans('general.delete') }}" data-content="{{ trans('general.sure_to_delete_var', ['item' => $consumable->name]) }}" data-target="#dataConfirmModal" onClick="return false;">
+                        <button class="btn btn-sm btn-block btn-danger btn-social hidden-print delete-asset js-suppress-click" data-icon="fa fa-trash" data-toggle="modal" data-title="{{ trans('general.delete') }}" data-content="{{ trans('general.sure_to_delete_var', ['item' => $consumable->name]) }}" data-target="#dataConfirmModal">
                           <x-icon type="delete" />
                           {{ trans('general.delete') }}
                         </button>

@@ -88,7 +88,7 @@ class="table table-striped snipe-table"
                   @if($fieldset->models->count() > 0)
                   <button type="submit" class="btn btn-danger btn-sm disabled" data-tooltip="true" title="{{ trans('general.cannot_be_deleted') }}" disabled><i class="fas fa-trash"></i></button>
                   @else
-                  <a type="submit" href="{{ route('fieldsets.destroy', $fieldset) }}" class="btn btn-danger btn-sm delete-asset" data-tooltip="true" title="{{ trans('general.delete') }}" data-toggle="modal" data-title="{{ trans('general.delete') }}" data-content="{{ trans('general.sure_to_delete_var', ['item' => $fieldset->name]) }}" data-icon="fa fa-trash" data-target="#dataConfirmModal" onClick="return false;"><i class="fas fa-trash"></i></a>
+                  <a type="submit" href="{{ route('fieldsets.destroy', $fieldset) }}" class="btn btn-danger btn-sm delete-asset js-suppress-click" data-tooltip="true" title="{{ trans('general.delete') }}" data-toggle="modal" data-title="{{ trans('general.delete') }}" data-content="{{ trans('general.sure_to_delete_var', ['item' => $fieldset->name]) }}" data-icon="fa fa-trash" data-target="#dataConfirmModal"><i class="fas fa-trash"></i></a>
                   @endif
                 @endcan
                   </nobr>
@@ -249,7 +249,7 @@ class="sr-only">{{ trans('admin/custom_fields/general.unique') }}</span></i></th
                       <span class="sr-only">{{ trans('button.delete') }}</span>
                     </button>
                   @else
-                    <a href="{{ route('fields.destroy', $field) }}" class="btn btn-danger btn-sm delete-asset" data-tooltip="true" title="{{ trans('general.delete') }}" data-toggle="modal" data-title="{{ trans('general.delete') }}" data-content="{{ trans('general.sure_to_delete_var', ['item' => $field->name]) }}" data-target="#dataConfirmModal" data-icon="fa fa-trash" onClick="return false;">
+                    <a href="{{ route('fields.destroy', $field) }}" class="btn btn-danger btn-sm delete-asset js-suppress-click" data-tooltip="true" title="{{ trans('general.delete') }}" data-toggle="modal" data-title="{{ trans('general.delete') }}" data-content="{{ trans('general.sure_to_delete_var', ['item' => $field->name]) }}" data-target="#dataConfirmModal" data-icon="fa fa-trash">
                       <i class="fas fa-trash" aria-hidden="true"></i>
                       <span class="sr-only">{{ trans('button.delete') }}</span>
                     </a>
@@ -271,7 +271,7 @@ class="sr-only">{{ trans('admin/custom_fields/general.unique') }}</span></i></th
 @stop
 @section('moar_scripts')
   @include ('partials.bootstrap-table')
-  <script>
+  <script nonce="{{ csrf_token() }}">
     $(function () {
       $('th').each(function (index, raw_element) {
         var element = $(raw_element);

@@ -502,7 +502,7 @@ class="table table-striped snipe-table"
 @push('js')
 
 
-        <script src="{{ url(mix('js/dist/Chart.min.js')) }}"></script>
+        <script src="{{ url(mix('js/dist/Chart.min.js')) }}" nonce="{{ csrf_token() }}"></script>
 <script nonce="{{ csrf_token() }}">
     // ---------------------------
     // - ASSET STATUS CHART -

@@ -7,7 +7,7 @@
 ])
 @section('content')
 
-    <style>
+    <style nonce="{{ csrf_token() }}">
         .form-horizontal .control-label {
             padding-top: 0px;
         }

@@ -9,7 +9,7 @@
 {{-- Page content --}}
 @section('content')
 
-    <style>
+    <style nonce="{{ csrf_token() }}">
 
         .input-group {
             padding-left: 0px !important;

@@ -9,7 +9,7 @@
 {{-- Page content --}}
 @section('content')
 
-<style>
+<style nonce="{{ csrf_token() }}">
   .input-group {
     padding-left: 0px !important;
   }

@@ -278,7 +278,7 @@
 </div>
 @stop
 @section('moar_scripts')
-  <script>
+  <script nonce="{{ csrf_token() }}">
     document.addEventListener('DOMContentLoaded', function () {
       document.querySelectorAll('.clear-radio').forEach(function (button) {
         button.addEventListener('click', function () {

@@ -8,7 +8,7 @@
 
 {{-- Page content --}}
 @section('content')
-    <style>
+    <style nonce="{{ csrf_token() }}">
 
         .input-group {
             padding-left: 0px !important;

@@ -9,7 +9,7 @@
 {{-- Page content --}}
 @section('content')
 
-    <style>
+    <style nonce="{{ csrf_token() }}">
 
         .input-group {
             padding-left: 0px !important;

@@ -14,7 +14,7 @@
 $qr_size = ($settings->alt_barcode_enabled=='1') && ($settings->label2_1d_type!='') ? $settings->labels_height - .3 : $settings->labels_height - 0.1;
 ?>
 
-<style>
+<style nonce="{{ csrf_token() }}">
     body {
         font-family: arial, helvetica, sans-serif;
         width: {{ $settings->labels_pagewidth }}in;

@@ -9,7 +9,7 @@
 {{-- Page content --}}
 @section('content')
 
-    <style>
+    <style nonce="{{ csrf_token() }}">
 
         .input-group {
             padding-left: 0px !important;

@@ -9,7 +9,7 @@
 {{-- Page content --}}
 @section('content')
 
-    <style>
+    <style nonce="{{ csrf_token() }}">
 
         .input-group {
             padding-left: 0px !important;

@@ -755,7 +755,7 @@ class="form-inline"
                                                             </i>
                                                         @endif
                                                         @if (($field->field_encrypted=='1') && ($asset->{$field->db_column_name()}!='') && (Gate::allows('assets.view.encrypted_custom_fields')))
-                                                            <i class="fas fa-lock" data-tooltip="true" data-placement="top" title="{{ trans('admin/custom_fields/general.value_encrypted') }}" onclick="showHideEncValue(this)" id="text-{{ $field->id }}"></i>
+                                                            <i class="fas fa-lock js-show-hide-enc-value" data-tooltip="true" data-placement="top" title="{{ trans('admin/custom_fields/general.value_encrypted') }}" id="text-{{ $field->id }}"></i>
                                                         @endif
 
                                                         @if ($field->isFieldDecryptable($asset->{$field->db_column_name()} ))
@@ -805,6 +805,14 @@ class="form-inline"
                                                     </div>
                                                 </div>
                                             @endforeach
+
+                                            @push('js')
+                                            <script nonce="{{ csrf_token() }}">
+                                                $(".js-show-hide-enc-value").on('click', function(event) {
+                                                    showHideEncValue(this);
+                                                })
+                                            </script>
+                                            @endpush
                                         @endif
 
 

@@ -9,7 +9,7 @@
 {{-- Page content --}}
 @section('content')
 
-<style>
+<style nonce="{{ csrf_token() }}">
   .input-group {
     padding-left: 0px !important;
   }