symfony
diff --git a/‎src/Symfony/Bundle/WebProfilerBundle/Controller/ProfilerController.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/WebProfilerBundle/Controller/ProfilerController.php
+26-9Lines changed: 26 additions & 9 deletions b/‎src/Symfony/Bundle/WebProfilerBundle/Controller/ProfilerController.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/WebProfilerBundle/Controller/ProfilerController.php
+26-9Lines changed: 26 additions & 9 deletions
diff --git a/‎src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php
Copy file name to clipboard
+253Lines changed: 253 additions & 0 deletions b/‎src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php
Copy file name to clipboard
+253Lines changed: 253 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/WebProfilerBundle/Csp/NonceGenerator.php
Copy file name to clipboard
+25Lines changed: 25 additions & 0 deletions b/‎src/Symfony/Bundle/WebProfilerBundle/Csp/NonceGenerator.php
Copy file name to clipboard
+25Lines changed: 25 additions & 0 deletions
@@ -11,6 +11,7 @@
 
 namespace Symfony\Bundle\WebProfilerBundle\Controller;
 
+use Symfony\Bundle\WebProfilerBundle\Csp\ContentSecurityPolicyHandler;
 use Symfony\Bundle\WebProfilerBundle\Profiler\TemplateManager;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
@@ -33,6 +34,7 @@ class ProfilerController
     private $twig;
     private $templates;
     private $toolbarPosition;
+    private $cspHandler;
 
     /**
      * Constructor.
@@ -43,13 +45,14 @@ class ProfilerController
      * @param array                 $templates       The templates
      * @param string                $toolbarPosition The toolbar position (top, bottom, normal, or null -- use the configuration)
      */
-    public function __construct(UrlGeneratorInterface $generator, Profiler $profiler = null, \Twig_Environment $twig, array $templates, $toolbarPosition = 'normal')
+    public function __construct(UrlGeneratorInterface $generator, Profiler $profiler = null, \Twig_Environment $twig, array $templates, $toolbarPosition = 'normal', ContentSecurityPolicyHandler $cspHandler = null)
     {
         $this->generator = $generator;
         $this->profiler = $profiler;
         $this->twig = $twig;
         $this->templates = $templates;
         $this->toolbarPosition = $toolbarPosition;
+        $this->cspHandler = $cspHandler;
     }
 
     /**
@@ -103,7 +106,7 @@ public function panelAction(Request $request, $token)
             throw new NotFoundHttpException(sprintf('Panel "%s" is not available for token "%s".', $panel, $token));
         }
 
-        return new Response($this->twig->render($this->getTemplateManager()->getName($profile, $panel), array(
+        return $this->renderWithCspNonces($request, $this->getTemplateManager()->getName($profile, $panel), array(
             'token' => $token,
             'profile' => $profile,
             'collector' => $profile->getCollector($panel),
@@ -113,7 +116,7 @@ public function panelAction(Request $request, $token)
             'templates' => $this->getTemplateManager()->getTemplates($profile),
             'is_ajax' => $request->isXmlHttpRequest(),
             'profiler_markup_version' => 2, // 1 = original profiler, 2 = Symfony 2.8+ profiler
-        )), 200, array('Content-Type' => 'text/html'));
+        ));
     }
 
     /**
@@ -134,10 +137,10 @@ public function infoAction(Request $request, $about)
 
         $this->profiler->disable();
 
-        return new Response($this->twig->render('@WebProfiler/Profiler/info.html.twig', array(
+        return $this->renderWithCspNonces($request, '@WebProfiler/Profiler/info.html.twig', array(
             'about' => $about,
             'request' => $request,
-        )), 200, array('Content-Type' => 'text/html'));
+        ));
     }
 
     /**
@@ -185,15 +188,15 @@ public function toolbarAction(Request $request, $token)
             // the profiler is not enabled
         }
 
-        return new Response($this->twig->render('@WebProfiler/Profiler/toolbar.html.twig', array(
+        return $this->renderWithCspNonces($request, '@WebProfiler/Profiler/toolbar.html.twig', array(
             'request' => $request,
             'position' => $position,
             'profile' => $profile,
             'templates' => $this->getTemplateManager()->getTemplates($profile),
             'profiler_url' => $url,
             'token' => $token,
             'profiler_markup_version' => 2, // 1 = original toolbar, 2 = Symfony 2.8+ toolbar
-        )), 200, array('Content-Type' => 'text/html'));
+        ));
     }
 
     /**
@@ -278,7 +281,7 @@ public function searchResultsAction(Request $request, $token)
         $end = $request->query->get('end', null);
         $limit = $request->query->get('limit');
 
-        return new Response($this->twig->render('@WebProfiler/Profiler/results.html.twig', array(
+        return $this->renderWithCspNonces($request, '@WebProfiler/Profiler/results.html.twig', array(
             'request' => $request,
             'token' => $token,
             'profile' => $profile,
@@ -291,7 +294,7 @@ public function searchResultsAction(Request $request, $token)
             'end' => $end,
             'limit' => $limit,
             'panel' => null,
-        )), 200, array('Content-Type' => 'text/html'));
+        ));
     }
 
     /**
@@ -384,4 +387,18 @@ protected function getTemplateManager()
 
         return $this->templateManager;
     }
+
+    private function renderWithCspNonces(Request $request, $template, $variables, $code = 200, $headers = array('Content-Type' => 'text/html'))
+    {
+        $response = new Response('', $code, $headers);
+
+        $nonces = $this->cspHandler ? $this->cspHandler->getNonces($request, $response) : array();
+
+        $variables['csp_script_nonce'] = isset($nonces['csp_script_nonce']) ? $nonces['csp_script_nonce'] : null;
+        $variables['csp_style_nonce'] = isset($nonces['csp_style_nonce']) ? $nonces['csp_style_nonce'] : null;
+
+        $response->setContent($this->twig->render($template, $variables));
+
+        return $response;
+    }
 }
@@ -0,0 +1,253 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\WebProfilerBundle\Csp;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+/**
+ * Handles Content-Security-Policy HTTP header for the WebProfiler Bundle.
+ *
+ * @author Romain Neutron <imprec@gmail.com>
+ */
+class ContentSecurityPolicyHandler
+{
+    private $nonceGenerator;
+
+    public function __construct(NonceGenerator $nonceGenerator)
+    {
+        return $this->nonceGenerator = $nonceGenerator;
+    }
+
+    /**
+     * Returns an array of nonces to be used in Twig templates and Content-Security-Policy headers.
+     *
+     * Nonce can be provided by;
+     *  - The request - In case HTML content is fetched via AJAX and inserted in DOM, it must use the same nonce as origin
+     *  - The response -  A call to getNonces() has already been done previously. Same nonce are returned
+     *  - They are otherwise randomly generated
+     *
+     * @param Request  $request
+     * @param Response $response
+     *
+     * @return array
+     */
+    public function getNonces(Request $request, Response $response)
+    {
+        if ($request->headers->has('X-SymfonyProfiler-Script-Nonce') && $request->headers->has('X-SymfonyProfiler-Style-Nonce')) {
+            return array(
+                'csp_script_nonce' => $request->headers->get('X-SymfonyProfiler-Script-Nonce'),
+                'csp_style_nonce' => $request->headers->get('X-SymfonyProfiler-Style-Nonce'),
+            );
+        }
+
+        if ($response->headers->has('X-SymfonyProfiler-Script-Nonce') && $response->headers->has('X-SymfonyProfiler-Style-Nonce')) {
+            return array(
+                'csp_script_nonce' => $response->headers->get('X-SymfonyProfiler-Script-Nonce'),
+                'csp_style_nonce' => $response->headers->get('X-SymfonyProfiler-Style-Nonce'),
+            );
+        }
+
+        $nonces = array(
+            'csp_script_nonce' => $this->generateNonce(),
+            'csp_style_nonce' => $this->generateNonce(),
+        );
+
+        $response->headers->set('X-SymfonyProfiler-Script-Nonce', $nonces['csp_script_nonce']);
+        $response->headers->set('X-SymfonyProfiler-Style-Nonce', $nonces['csp_style_nonce']);
+
+        return $nonces;
+    }
+
+    /**
+     * Cleanup temporary headers and updates Content-Security-Policy headers.
+     *
+     * This method should be called on KernelEvents::RESPONSE
+     *
+     * @param Request  $request
+     * @param Response $response
+     *
+     * @return array Nonce used by the bundle in Content-Security-Policy header
+     */
+    public function onKernelResponse(Request $request, Response $response)
+    {
+        $nonces = $this->getNonces($request, $response);
+        $this->cleanHeaders($response);
+        $this->updateCspHeaders($response, $nonces);
+
+        return $nonces;
+    }
+
+    /**
+     * @param Response $response
+     */
+    private function cleanHeaders(Response $response)
+    {
+        $response->headers->remove('X-SymfonyProfiler-Script-Nonce');
+        $response->headers->remove('X-SymfonyProfiler-Style-Nonce');
+    }
+
+    /**
+     * Updates Content-Security-Policy headers in a response.
+     *
+     * @param Response $response
+     * @param array    $nonces
+     *
+     * @return array
+     */
+    private function updateCspHeaders(Response $response, array $nonces = array()) {
+        $nonces = array_replace(array(
+            'csp_script_nonce' => $this->generateNonce(),
+            'csp_style_nonce' => $this->generateNonce(),
+        ), $nonces);
+
+        $ruleIsSet = false;
+
+        $headers = $this->getCspHeaders($response);
+
+        foreach ($headers as $header => $directives) {
+            foreach (array('script-src' => 'csp_script_nonce', 'style-src' => 'csp_style_nonce') as $type => $tokenName) {
+                if (!$this->authorizesInline($directives, $type)) {
+                    if (!isset($headers[$header][$type])) {
+                        if (isset($headers[$header]['default-src'])) {
+                            $headers[$header][$type] = $headers[$header]['default-src'];
+                        } else {
+                            $headers[$header][$type] = array();
+                        }
+                    }
+                    $ruleIsSet = true;
+                    if (!in_array('\'unsafe-inline\'', $headers[$header][$type], true)) {
+                        $headers[$header][$type][] = '\'unsafe-inline\'';
+                    }
+                    $headers[$header][$type][] = sprintf('\'nonce-%s\'', $nonces[$tokenName]);
+                }
+            }
+        }
+
+        if (!$ruleIsSet) {
+            return $nonces;
+        }
+
+        foreach ($headers as $header => $directives) {
+            $response->headers->set($header, $this->generateCspHeader($directives));
+        }
+
+        return $nonces;
+    }
+
+    /**
+     * Generates a valid Content-Security-Policy nonce.
+     *
+     * @return string
+     */
+    private function generateNonce()
+    {
+        return $this->nonceGenerator->generate();
+    }
+
+    /**
+     * Converts a directives set array into Content-Security-Policy header.
+     *
+     * @param array $directives The directives set
+     *
+     * @return string The Content-Security-Policy header
+     */
+    private function generateCspHeader(array $directives)
+    {
+        return array_reduce(array_keys($directives), function ($res, $name) use ($directives) {
+            return ($res !== '' ? $res.'; ' : '').sprintf('%s %s', $name, implode(' ', $directives[$name]));
+        }, '');
+    }
+
+    /**
+     * Converts a Content-Security-Policy header value into a directives set array.
+     *
+     * @param string $header The header value
+     *
+     * @return array The directives set
+     */
+    private function parseDirectives($header) {
+        $directives = array();
+
+        foreach (explode(';', $header) as $directive) {
+            $parts = explode(' ', trim($directive));
+            if (count($parts) < 1) {
+                continue;
+            }
+            $name = array_shift($parts);
+            $directives[$name] = $parts;
+        }
+
+        return $directives;
+    }
+
+    /**
+     * Detects if the 'unsafe-inline' is prevented for a directive within the directives set.
+     *
+     * @param array  $directivesSet The directives set
+     * @param string $type          The name of the directive to check
+     *
+     * @return bool
+     */
+    private function authorizesInline(array $directivesSet, $type)
+    {
+        if (isset($directivesSet[$type])) {
+            $directives = $directivesSet[$type];
+        } elseif (isset($directivesSet['default-src'])) {
+            $directives = $directivesSet['default-src'];
+        } else {
+            return false;
+        }
+
+        return in_array('\'unsafe-inline\'', $directives, true) && !$this->hasHashOrNonce($directives);
+    }
+
+    private function hasHashOrNonce(array $directives)
+    {
+        foreach ($directives as $directive) {
+            if ('\'' !== substr($directive, -1)) {
+                continue;
+            }
+            if ('\'nonce-' === substr($directive, 0, 7)) {
+                return true;
+            }
+            if (in_array(substr($directive, 0, 8), array('\'sha256-', '\'sha384-', '\'sha512-'), true)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Retrieves the Content-Security-Policy headers (either X-Content-Security-Policy or Content-Security-Policy) from
+     * a response.
+     *
+     * @param Response $response The response
+     *
+     * @return array An associative array of headers
+     */
+    private function getCspHeaders(Response $response)
+    {
+        $headers = array();
+
+        if ($response->headers->has('Content-Security-Policy')) {
+            $headers['Content-Security-Policy'] = $this->parseDirectives($response->headers->get('Content-Security-Policy'));
+        }
+
+        if ($response->headers->has('X-Content-Security-Policy')) {
+            $headers['X-Content-Security-Policy'] = $this->parseDirectives($response->headers->get('X-Content-Security-Policy'));
+        }
+
+        return $headers;
+    }
+}
@@ -0,0 +1,25 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\WebProfilerBundle\Csp;
+
+/**
+ * Generates Content-Security-Policy nonce.
+ *
+ * @author Romain Neutron <imprec@gmail.com>
+ */
+class NonceGenerator
+{
+    public function generate()
+    {
+        return bin2hex(random_bytes(16));
+    }
+}