diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bug #36315 [WebProfilerBundle] Support for Content Security Policy style-src-elem and script-src-elem in WebProfiler (ampaze)

Browse Source 
This PR was merged into the 3.4 branch.

Discussion
----------

[WebProfilerBundle] Support for Content Security Policy style-src-elem and script-src-elem in WebProfiler

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | yes
| New feature?  | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| License       | MIT

If a `style-src-elem` or `script-src-elem` Content Security Policy exist, the WebProfiler Styles or Scripts will be rejected as the nonce is missing.

Commits
-------

7f33f1fa3a Support for Content Security Policy style-src-elem and script-src-elem in WebProfiler
This commit is contained in:
Fabien Potencier 2020-04-04 10:50:20 +02:00
commit 004f1f3823
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php
View File

@ -128,7 +128,7 @@ class ContentSecurityPolicyHandler
$headers = $this->getCspHeaders($response);
foreach ($headers as $header => $directives) {
foreach (['script-src' => 'csp_script_nonce', 'style-src' => 'csp_style_nonce'] as $type => $tokenName) {
foreach (['script-src' => 'csp_script_nonce', 'script-src-elem' => 'csp_script_nonce', 'style-src' => 'csp_style_nonce', 'style-src-elem' => 'csp_style_nonce'] as $type => $tokenName) {
if ($this->authorizesInline($directives, $type)) {
continue;
}