Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit ba610e4

Browse filesBrowse files
ndenchndench
committed
[WebProfiler] Do not add src-elem CSP directives if they do not exist
1 parent a5ae434 commit ba610e4
Copy full SHA for ba610e4

File tree

2 files changed

+25
-10
lines changed
Filter options

2 files changed

+25
-10
lines changed

‎src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php
+17-9Lines changed: 17 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -129,12 +129,13 @@ private function updateCspHeaders(Response $response, array $nonces = []): array
129129
continue;
130130
}
131131
if (!isset($headers[$header][$type])) {
132-
if (isset($headers[$header]['default-src'])) {
133-
$headers[$header][$type] = $headers[$header]['default-src'];
134-
} else {
135-
// If there is no script-src/style-src and no default-src, no additional rules required.
132+
$fallback = $this->getDirectiveFallback($directives, $type);
133+
if (null === $fallback) {
134+
// If there is no directive and no fallback, no additional rules required.
136135
continue;
137136
}
137+
138+
$headers[$header][$type] = $fallback;
138139
}
139140
$ruleIsSet = true;
140141
if (!\in_array('\'unsafe-inline\'', $headers[$header][$type], true)) {
@@ -197,11 +198,8 @@ private function parseDirectives(string $header): array
197198
*/
198199
private function authorizesInline(array $directivesSet, string $type): bool
199200
{
200-
if (isset($directivesSet[$type])) {
201-
$directives = $directivesSet[$type];
202-
} elseif (isset($directivesSet['default-src'])) {
203-
$directives = $directivesSet['default-src'];
204-
} else {
201+
$directives = $directivesSet[$type] ?? $this->getDirectiveFallback($directivesSet, $type);
202+
if (null === $directives) {
205203
return false;
206204
}
207205

@@ -225,6 +223,16 @@ private function hasHashOrNonce(array $directives): bool
225223
return false;
226224
}
227225

226+
private function getDirectiveFallback(array $directiveSet, string $type): ?array
227+
{
228+
if (\in_array($type, ['script-src-elem', 'style-src-elem'], true)) {
229+
// Let the browser fallback on it's own
230+
return null;
231+
}
232+
233+
return $directiveSet['default-src'] ?? null;
234+
}
235+
228236
/**
229237
* Retrieves the Content-Security-Policy headers (either X-Content-Security-Policy or Content-Security-Policy) from
230238
* a response.

‎src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php
+8-1Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -131,7 +131,14 @@ public function provideRequestAndResponsesForOnKernelResponse()
131131
['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
132132
$this->createRequest(),
133133
$this->createResponse(['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'']),
134-
['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src-elem \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src-elem \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
134+
['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
135+
],
136+
[
137+
$nonce,
138+
['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
139+
$this->createRequest(),
140+
$this->createResponse(['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\'']),
141+
['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
135142
],
136143
[
137144
$nonce,

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.