diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bug #36786 [WebProfiler] Remove 'none' when appending CSP tokens (ndench)

Browse Source 
This PR was merged into the 4.4 branch.

Discussion
----------

[WebProfiler] Remove 'none' when appending CSP tokens

| Q             | A
| ------------- | ---
| Branch?       | 3.4, 4.4, 5.0
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #36645
| License       | MIT
| Doc PR        | n/a

@nicolas-grekas  asked me to to have a look at this after #36678.

If a user has a CSP policy of `default-src 'none'`, then the WebProfiler copies `'none'` to `script-src` and `style-src` then adds other sources. This creates an invalid policy since `'none'` is only allowed when it's the only item in the source list.

This will probably need to be merged into 3.4 first, I started on 4.4 so I can test in my current symfony project which requires 4.4.

Commits
-------

967bc4a860 [WebProfiler] Remove 'none' when appending CSP tokens
This commit is contained in:
Fabien Potencier 2020-05-13 19:00:16 +02:00
commit 315010422f
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php
View File

@ -133,6 +133,12 @@ class ContentSecurityPolicyHandler
continue;
}
if (['\'none\''] === $fallback) {
// Fallback came from "default-src: 'none'"
// 'none' is invalid if it's not the only expression in the source list, so we leave it out
$fallback = [];
}
$headers[$header][$type] = $fallback;
}
$ruleIsSet = true;

7
src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php
View File

@ -140,6 +140,13 @@ class ContentSecurityPolicyHandlerTest extends TestCase
$this->createResponse(['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\'']),
['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
],
[
$nonce,
['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
$this->createRequest(),
$this->createResponse(['Content-Security-Policy' => 'default-src \'none\'', 'Content-Security-Policy-Report-Only' => 'default-src \'none\'']),
['Content-Security-Policy' => 'default-src \'none\'; script-src \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'none\'; script-src \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
],
[
$nonce,
['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],