Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bug #36786 [WebProfiler] Remove 'none' when appending CSP tokens (nde…
…nch) This PR was merged into the 4.4 branch. Discussion ---------- [WebProfiler] Remove 'none' when appending CSP tokens | Q | A | ------------- | --- | Branch? | 3.4, 4.4, 5.0 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #36645 | License | MIT | Doc PR | n/a @nicolas-grekas asked me to to have a look at this after #36678. If a user has a CSP policy of `default-src 'none'`, then the WebProfiler copies `'none'` to `script-src` and `style-src` then adds other sources. This creates an invalid policy since `'none'` is only allowed when it's the only item in the source list. This will probably need to be merged into 3.4 first, I started on 4.4 so I can test in my current symfony project which requires 4.4. Commits ------- 967bc4a [WebProfiler] Remove 'none' when appending CSP tokens
- Loading branch information