[WebProfiler] Do not add src-elem CSP directives if they do not exist

[ndench]

Q	A
Branch?	3.4, 4.4, 5.0
Bug fix?	yes
New feature?	no
Deprecations?	no
Tickets	Fix #36643
License	MIT
Doc PR	n/a

In the latest 3.4., 4.4. and 5.0.* branches the script-src-elem and style-src-elem directives are added to the Content-Security-Policy header if they don't exist by copying the default-src. This causes browsers to ignore the script-src and style-src directives which likely contain scripts and styles the developer wanted to allow.

As mentioned in the fixed ticket, we shouldn't be adding these directives if they don't exist because the browser will automatically fallback to script-src and style-src which we have already added unsafe-inlen and the nonce-* to.

This will need to be merged into 3.4, 4.4 and 5.0, but I was unsure which branch I am meant to base it off to start with. I've put it on 4.4 but can move it to another if required.

[ndench]

I can't see how my change would have caused Appveyor to fail. Here's the error:

There was 1 failure:
1) Symfony\Bundle\FrameworkBundle\Tests\Functional\DebugAutowiringCommandTest::testNotConfusedByClassAliases
Failed asserting that '\r\n
Autowirable Types\r\n
=================\r\n
\r\n
 The following classes & interfaces can be used as type-hints when autowiring:\r\n
 (only showing classes/interfaces matching ClassAlias)\r\n
 \r\n
 Symfony\Bundle\FrameworkBundle\Tests\Fixtures\ClassAliasExampleClass (public)\r\n
\r\n
\r\n
' contains "Symfony\Bundle\FrameworkBundle\Tests\Fixtures\ClassAliasExampleClass (public)".
C:\projects\symfony\src\Symfony\Bundle\FrameworkBundle\Tests\Functional\DebugAutowiringCommandTest.php:110

[nicolas-grekas]

I rebased this PR for 3.4.

@cs278 / @ampaze can you please have a look?

@ndench would you mind having a look at #36645 too?

[nicolas-grekas]

Thank you @ndench.

[cs278]

Great thanks, just tested this works as expected. 👍