codeigniter4 · kenjis · Sep 23, 2022 · Sep 15, 2022 · Sep 16, 2022 · Sep 23, 2022
diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
@@ -300,11 +300,10 @@ public function getScriptNonce(): string
  */
  public function finalize(ResponseInterface $response)
  {
- if ($this->autoNonce === false) {
- return;
+ if ($this->autoNonce) {
+ $this->generateNonces($response);
  }
 
- $this->generateNonces($response);
  $this->buildHeaders($response);
  }
 

diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -12,6 +12,7 @@
 namespace CodeIgniter\HTTP;
 
 use CodeIgniter\Test\CIUnitTestCase;
+use CodeIgniter\Test\TestResponse;
 use Config\App;
 use Config\ContentSecurityPolicy as CSPConfig;
 
@@ -533,6 +534,9 @@ public function testBodyScriptNonceDisableAutoNonce()
  $csp->finalize($response);
 
  $this->assertStringContainsString('{csp-script-nonce}', $response->getBody());
+
+ $result = new TestResponse($response);
+ $result->assertHeader('Content-Security-Policy');
  }
 
  public function testBodyStyleNonceDisableAutoNonce()
@@ -549,6 +553,9 @@ public function testBodyStyleNonceDisableAutoNonce()
  $csp->finalize($response);
 
  $this->assertStringContainsString('{csp-style-nonce}', $response->getBody());
+
+ $result = new TestResponse($response);
+ $result->assertHeader('Content-Security-Policy');
  }
 
  /**

diff --git a/user_guide_src/source/changelogs/v4.2.7.rst b/user_guide_src/source/changelogs/v4.2.7.rst
@@ -33,6 +33,6 @@ none.
 Bugs Fixed
 **********
 
-none.
+- Fixed a bug that prevents CSP headers from being sent when ``Config\ContentSecurityPolicy::$autoNonce`` is false.
 
 See the repo's `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_ for a complete list of bugs fixed.