WebProfiler CSP handler breaks on 'none' #36645
Comments
|
Is this fixed by #36678? If not, can anyone investigate and send a PR? |
|
I'll have a shot at it sometime over the next few days, should be a quick fix I think. |
fabpot
added a commit
that referenced
this issue
May 13, 2020
…nch) This PR was merged into the 4.4 branch. Discussion ---------- [WebProfiler] Remove 'none' when appending CSP tokens | Q | A | ------------- | --- | Branch? | 3.4, 4.4, 5.0 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #36645 | License | MIT | Doc PR | n/a @nicolas-grekas asked me to to have a look at this after #36678. If a user has a CSP policy of `default-src 'none'`, then the WebProfiler copies `'none'` to `script-src` and `style-src` then adds other sources. This creates an invalid policy since `'none'` is only allowed when it's the only item in the source list. This will probably need to be merged into 3.4 first, I started on 4.4 so I can test in my current symfony project which requires 4.4. Commits ------- 967bc4a [WebProfiler] Remove 'none' when appending CSP tokens
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Symfony version(s) affected: 3.4.40
Description
The use of the
'none'token in a CSP policy causesContentSecurityPolicyHandlerto generate invalid CSP headers.How to reproduce
Set a CSP policy of
default-src 'none';and ensure the web profiler is enabled.The following header will be sent to the client:
Chrome reports the following problems:
This problem also exists if you have a policy of
style-src 'none'you end up with a policy likestyle-src 'none' 'unsafe-inline' 'nonce-789'.Possible Solution
Remove the
'none'token when appending additional tokens.Additional context
Found this while investigating a regression #36643
The text was updated successfully, but these errors were encountered: