Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

Commit 967bc4a

Browse filesBrowse files
committed
[WebProfiler] Remove 'none' when appending CSP tokens
1 parent 6541ac2 commit 967bc4a
Copy full SHA for 967bc4a

File tree

2 files changed

+13
-0
lines changed
Filter options

2 files changed

+13
-0
lines changed

‎src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php
+6Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -133,6 +133,12 @@ private function updateCspHeaders(Response $response, array $nonces = []): array
133133
continue;
134134
}
135135

136+
if (['\'none\''] === $fallback) {
137+
// Fallback came from "default-src: 'none'"
138+
// 'none' is invalid if it's not the only expression in the source list, so we leave it out
139+
$fallback = [];
140+
}
141+
136142
$headers[$header][$type] = $fallback;
137143
}
138144
$ruleIsSet = true;

‎src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php
+7Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -140,6 +140,13 @@ public function provideRequestAndResponsesForOnKernelResponse()
140140
$this->createResponse(['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\'']),
141141
['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
142142
],
143+
[
144+
$nonce,
145+
['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
146+
$this->createRequest(),
147+
$this->createResponse(['Content-Security-Policy' => 'default-src \'none\'', 'Content-Security-Policy-Report-Only' => 'default-src \'none\'']),
148+
['Content-Security-Policy' => 'default-src \'none\'; script-src \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'none\'; script-src \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
149+
],
143150
[
144151
$nonce,
145152
['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.