NelmioSecurityBundle icon indicating copy to clipboard operation
NelmioSecurityBundle copied to clipboard

Published 20 hours ago verified publisher icon nelmio

Ability to override (and disable) `hash`

Open drzraf opened this issue 2 years ago • 3 comments

In config/packages/dev/nelmio_security.yaml I'm trying to override hash (which keeps me from using unsafe-inline on my dev environment where I test and have some inlined event handlers). Thus I use

nelmio_security:
    csp:
        hash: {}

(and other similar syntax).

Still, no way to disable it. Worst, since {% cspscript %} are in the templates, even dropping hash from the main config/packages/nelmio_security.yaml is not enough (as it keeps sending sha256-* to the browser).

I think computeForScript should take the configuration into consideration.

drzraf avatar Sep 08 '21 22:09 drzraf

The {} is considered empty, and will use the default configuration. It's not possible to disable this configuration (which would be false).

Disabling this for CSP would actually defeat the purpose of CSP. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src maybe the 'unsafe-hashes' option can help here.

sstok avatar Sep 10 '21 11:09 sstok

I will try 'unsafe-hashes' but my purpose was exactly that: Disabling CSP (for my -dev environment) without having to change my markup.

drzraf avatar Sep 10 '21 16:09 drzraf

https://bugzilla.mozilla.org/show_bug.cgi?id=1343950 (Not supported by FF)

(Overriding hash would be really useful)

drzraf avatar Sep 10 '21 16:09 drzraf