Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 3150104

Browse filesBrowse files
fabpotfabpot
committed
bug #36786 [WebProfiler] Remove 'none' when appending CSP tokens (ndench)
This PR was merged into the 4.4 branch. Discussion ---------- [WebProfiler] Remove 'none' when appending CSP tokens | Q | A | ------------- | --- | Branch? | 3.4, 4.4, 5.0 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #36645 | License | MIT | Doc PR | n/a @nicolas-grekas asked me to to have a look at this after #36678. If a user has a CSP policy of `default-src 'none'`, then the WebProfiler copies `'none'` to `script-src` and `style-src` then adds other sources. This creates an invalid policy since `'none'` is only allowed when it's the only item in the source list. This will probably need to be merged into 3.4 first, I started on 4.4 so I can test in my current symfony project which requires 4.4. Commits ------- 967bc4a [WebProfiler] Remove 'none' when appending CSP tokens
2 parents b4342e3 + 967bc4a commit 3150104
Copy full SHA for 3150104

File tree

Expand file treeCollapse file tree

2 files changed

+13
-0
lines changed
Filter options
Expand file treeCollapse file tree

2 files changed

+13
-0
lines changed

‎src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php
+6Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -133,6 +133,12 @@ private function updateCspHeaders(Response $response, array $nonces = []): array
133133
continue;
134134
}
135135

136+
if (['\'none\''] === $fallback) {
137+
// Fallback came from "default-src: 'none'"
138+
// 'none' is invalid if it's not the only expression in the source list, so we leave it out
139+
$fallback = [];
140+
}
141+
136142
$headers[$header][$type] = $fallback;
137143
}
138144
$ruleIsSet = true;

‎src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php
+7Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -140,6 +140,13 @@ public function provideRequestAndResponsesForOnKernelResponse()
140140
$this->createResponse(['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\'']),
141141
['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
142142
],
143+
[
144+
$nonce,
145+
['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
146+
$this->createRequest(),
147+
$this->createResponse(['Content-Security-Policy' => 'default-src \'none\'', 'Content-Security-Policy-Report-Only' => 'default-src \'none\'']),
148+
['Content-Security-Policy' => 'default-src \'none\'; script-src \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'none\'; script-src \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
149+
],
143150
[
144151
$nonce,
145152
['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.