fix: reset Kint CSP state in worker mode (#10139)

memleakd · web-flow · commit aa0d83ef601f · 2026-04-25T19:25:44.000+08:00
Signed-off-by: memleakd &lt;121398829+memleakd@users.noreply.github.com&gt;
diff --git a/system/CodeIgniter.php b/system/CodeIgniter.php
@@ -208,6 +208,29 @@ public function resetForWorkerMode(): void
         // Reset timing
         $this->startTime = null;
         $this->totalTime = 0;
+
+        $this->resetKintForWorkerMode();
+    }
+
+    /**
+     * Resets Kint request-specific state for worker mode.
+     */
+    private function resetKintForWorkerMode(): void
+    {
+        if (! CI_DEBUG || ! class_exists(Kint::class, false)) {
+            return;
+        }
+
+        $csp = service('csp');
+        if ($csp->enabled()) {
+            RichRenderer::$js_nonce  = $csp->getScriptNonce();
+            RichRenderer::$css_nonce = $csp->getStyleNonce();
+        } else {
+            RichRenderer::$js_nonce  = null;
+            RichRenderer::$css_nonce = null;
+        }
+
+        RichRenderer::$needs_pre_render = true;
     }
 
     /**
diff --git a/tests/system/CodeIgniterTest.php b/tests/system/CodeIgniterTest.php
@@ -30,6 +30,7 @@
 use Config\Filters as FiltersConfig;
 use Config\Modules;
 use Config\Routing;
+use Kint\Renderer\RichRenderer;
 use PHPUnit\Framework\Attributes\BackupGlobals;
 use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\Attributes\Group;
@@ -1273,6 +1274,15 @@ public function testRouteAttributesDisabledInConfig(): void
 
     public function testResetForWorkerMode(): void
     {
+        $this->resetServices();
+
+        $appConfig             = config(App::class);
+        $appConfig->CSPEnabled = true;
+
+        RichRenderer::$js_nonce         = 'stale-script-nonce';
+        RichRenderer::$css_nonce        = 'stale-style-nonce';
+        RichRenderer::$needs_pre_render = false;
+
         $config      = new App();
         $codeigniter = new MockCodeIgniter($config);
 
@@ -1292,5 +1302,11 @@ public function testResetForWorkerMode(): void
         $this->assertNull($this->getPrivateProperty($codeigniter, 'controller'));
         $this->assertNull($this->getPrivateProperty($codeigniter, 'method'));
         $this->assertNull($this->getPrivateProperty($codeigniter, 'output'));
+
+        $csp = service('csp');
+
+        $this->assertSame($csp->getScriptNonce(), RichRenderer::$js_nonce);
+        $this->assertSame($csp->getStyleNonce(), RichRenderer::$css_nonce);
+        $this->assertTrue(RichRenderer::$needs_pre_render);
     }
 }
diff --git a/user_guide_src/source/changelogs/v4.7.3.rst b/user_guide_src/source/changelogs/v4.7.3.rst
@@ -40,6 +40,7 @@ Bugs Fixed
 - **CLI:** Fixed a bug where ``CLI::generateDimensions()`` leaked ``stty`` error output (e.g., ``stty: 'standard input': Inappropriate ioctl for device``) to stderr when stdin was not a TTY.
 - **Commands:** Fixed a bug in the ``env`` command where passing options only would cause the command to throw a ``TypeError`` instead of showing the current environment.
 - **Common:** Fixed a bug where the ``command()`` helper function did not properly clean up output buffers, which could lead to risky tests when exceptions were thrown.
+- **Kint:** Fixed a bug where stale Content Security Policy nonces were reused in worker mode, causing browser CSP violations for Debug Toolbar assets.
 - **Validation:** Fixed a bug where ``Validation::getValidated()`` dropped fields whose validated value was explicitly ``null``.
 
 See the repo's
