NelmioSecurityBundle icon indicating copy to clipboard operation
NelmioSecurityBundle copied to clipboard

Published 20 hours ago verified publisher icon nelmio

New script src directives

Open ooOsH opened this issue 5 years ago • 1 comments

Will you be adding support for the more granular script src directives script-src-attr, script-src-elem, style-src-attr, style-src-elem ?

ooOsH avatar Apr 03 '19 11:04 ooOsH

For anyone else who comes across this because their CSP is currently broken in Chrome. The latest release of Symfony (3.4.401, 4.4.8 and 5.0.8), the WebProfilerBundle adds the script-src-elem and style-src-elem directives if they don't already exist. So if you have

    csp:
        enforce:
            default-src: ['none']
            # ...

It will copy default-src: 'none' into the *-elem directives, causing chrome to ignore the script-src and style-src directives and most likely cause all your styles and scripts to not load. This has been reported in symfony/symfony#36643 and symfony/symfony#36641.

As a quick workaround for now, you add add the following to packages/dev/nelmio_security.yaml which will cause the WebProfilerBundle to not add the directives:

    csp:
        enforce:
+            default-src: ['unsafe-inline']

ndench avatar May 04 '20 01:05 ndench