NelmioSecurityBundle
NelmioSecurityBundle copied to clipboard
Ability to override (and disable) `hash`
In config/packages/dev/nelmio_security.yaml
I'm trying to override hash
(which keeps me from using unsafe-inline
on my dev environment where I test and have some inlined event handlers).
Thus I use
nelmio_security:
csp:
hash: {}
(and other similar syntax).
Still, no way to disable it.
Worst, since {% cspscript %}
are in the templates, even dropping hash
from the main config/packages/nelmio_security.yaml
is not enough (as it keeps sending sha256-*
to the browser).
I think computeForScript
should take the configuration into consideration.
The {}
is considered empty, and will use the default configuration. It's not possible to disable this configuration (which would be false
).
Disabling this for CSP would actually defeat the purpose of CSP.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src maybe the 'unsafe-hashes'
option can help here.
I will try 'unsafe-hashes'
but my purpose was exactly that: Disabling
CSP (for my -dev environment) without having to change my markup.
https://bugzilla.mozilla.org/show_bug.cgi?id=1343950 (Not supported by FF)
(Overriding hash
would be really useful)