NelmioSecurityBundle
NelmioSecurityBundle copied to clipboard
New script src directives
Will you be adding support for the more granular script src directives script-src-attr
, script-src-elem
, style-src-attr
, style-src-elem
?
For anyone else who comes across this because their CSP is currently broken in Chrome. The latest release of Symfony (3.4.401
, 4.4.8
and 5.0.8
), the WebProfilerBundle adds the script-src-elem
and style-src-elem
directives if they don't already exist. So if you have
csp:
enforce:
default-src: ['none']
# ...
It will copy default-src: 'none'
into the *-elem
directives, causing chrome to ignore the script-src
and style-src
directives and most likely cause all your styles and scripts to not load. This has been reported in symfony/symfony#36643 and symfony/symfony#36641.
As a quick workaround for now, you add add the following to packages/dev/nelmio_security.yaml
which will cause the WebProfilerBundle to not add the directives:
csp:
enforce:
+ default-src: ['unsafe-inline']