Better logic for adding CSP nonces. Bump to 1.4.1

CHANGELOG.md

@@ -1,8 +1,9 @@
 # ToolMate Changelog
 
-## Unreleased
+## 1.4.1 - 2022-05-19
 ### Improved
 - ToolMate now removes any hard-coded nonces or hashes set in the CSP config, for any directives that also contain the `unsafe-inline` policy
+- ToolMate now avoids inadvertently creating CSP directives that could be empty, when adding nonces   
 
 ## 1.4.0 - 2022-05-14
 ### Added

composer.json

@@ -2,7 +2,7 @@
     "name": "vaersaagod/toolmate",
     "description": "Is that a tool in your pocket, or are you just happy to see me, mate?",
     "type": "craft-plugin",
-    "version": "1.4.0",
+    "version": "1.4.1",
     "keywords": [
         "craft",
         "cms",

src/services/CspService.php

@@ -100,17 +100,16 @@ public function setHeader(Response $response): void
             $carry[StringHelper::toKebabCase($field)] = $policies;
             return $carry;
         }, []);
-        
+
         // Add memoized nonces
         foreach ($this->nonces as $directive => $nonces) {
-            $directives[$directive] = $directives[$directive] ?? [];
-            foreach ($nonces as $nonce) {
-                if (in_array("'unsafe-inline'", $directives[$directive], true)) {
-                    // Skip nonces for directives with unsafe-inline
-                    continue;
-                }
-                $directives[$directive][] = "'nonce-" . $nonce . "'";
+            // Skip nonces for directives with unsafe-inline
+            if (empty($nonces) || in_array("'unsafe-inline'", $directives[$directive] ?? [])) {
+                continue;
             }
+            $directives[$directive] = array_merge($directives[$directive] ?? [], array_map(static function (string $nonce) {
+                return "'nonce-$nonce'";
+            }, $nonces));
         }
 
         // Clear memoized nonces