WebProfiler CSP can be broken by 3.4.40

[cs278]

Symfony version(s) affected: 3.4.40

Description
A change introduced in 3.4.40, can break content security policy when using the toolbar: #36315

The problem is that Symfony now sets {script,style}-src-elem which overrides {script,style}-src, I'll stick with referencing styles but the same problem exists from scripts.

How to reproduce

Given a simple policy of default-src https://example.com; style-src 'self', this permits CSS to be loaded from a file on the same origin.

$response->headers->set('Content-Security-Policy', "default-src https://example.com; style-src 'self'");

When the toolbar is enabled Symfony changes the policy to (I removed the script policies for simplicity):

default-src https://google.com; style-src 'self' 'unsafe-inline' 'nonce-123'; style-src-elem https://google.com 'unsafe-inline' 'nonce-123'

This now blocks CSS being loaded as style-src-elem overrides style-src and does not permit 'self'.

Possible Solution

If style-src-elem does not exist and style-src exists either:

• Do not create it
• Copy the style-src directives like is done from default-src

And apply the same fix for scripts.

Additional context

Whilst investigating this I found another bug with the way the 'none' token is handled: #36645

[stof]

We should indeed not create the new *-elem rules if they don't exist. Browsers will fallback from them to the older ones.

[nicolas-grekas]

@cs278 up for a PR? Anyone else? @ampaze maybe? Same for #36645

[ndench]

@nicolas-grekas I've done up a quick PR for this #36678