[WebProfiler] Do not add src-elem CSP directives if they do not exist #36678
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In the latest 3.4., 4.4. and 5.0.* branches the
script-src-elem
andstyle-src-elem
directives are added to the Content-Security-Policy header if they don't exist by copying thedefault-src
. This causes browsers to ignore thescript-src
andstyle-src
directives which likely contain scripts and styles the developer wanted to allow.As mentioned in the fixed ticket, we shouldn't be adding these directives if they don't exist because the browser will automatically fallback to
script-src
andstyle-src
which we have already addedunsafe-inlen
and thenonce-*
to.This will need to be merged into 3.4, 4.4 and 5.0, but I was unsure which branch I am meant to base it off to start with. I've put it on 4.4 but can move it to another if required.