NelmioSecurityBundle icon indicating copy to clipboard operation
NelmioSecurityBundle copied to clipboard

Published 20 hours ago verified publisher icon nelmio

CSP interferes with var-dumper

Open pauljura opened this issue 1 year ago • 1 comments

After installing this and setting a strict Content Security Policy, I noticed that the Twig dump() function no longer shows pretty HTML-formatted output. It still outputs, but it doesn't have any styling or javascript toggles, due to inline script and inline styles being blocked.

Is there some way to detect when a dump() is included in the response, and disable CSP just for the current request?

I found a similar issue here https://github.com/symfony/symfony/issues/29084 but the solution there doesn't seem to work when this bundle is installed.

Thanks

pauljura avatar Mar 05 '24 04:03 pauljura

Right, it'd probably make sense to look at the DumpDataCollector in dev environment, and do something similar to https://github.com/symfony/symfony/commit/bbb4d9f26e1a04a695099d4272c52d079e6f04cd - if someone wants to PR this.. :)

Seldaek avatar Mar 11 '24 14:03 Seldaek