Description
Description
When using a very strict CSP that forbids unsafe-eval and unsafe-inline it is currently not possible to use dump() because the profiler toolbar breaks. This is because it needs to evaluate JS that is embedded inside of it via Collectors which is not easy to refactor (#27588).
This feature request suggests that in the ContentSecurityPolicyHandler unsafe-eval is injected if the dumper was used in the current HTTP request. This is a small and simple extension to #18568 and avoids the problem that come with setting unsafe-eval all the time in the dev environment just for using the dumper from time to time.
Example
Create a simple ResponseSubscriber that sets the following header:
"Content-Security-Policy: script-src 'self'"
When using dump() in e.g. a Controller the ContentSecurityPolicyHandler is correctly creating nonces for inline JS, but it is current not setting unsafe-eval in the CSP which leads to errors and the toolbar not displaying because it cannot evaluate its embedded JS. The profiler is not affected. The JS in the dumper is just needed to collapse elements, but it cannot be easily reused because of its dynamic nature.
Update: Added Simple Symfony 5 project https://github.com/monojp/symfony_security_csp with strictest CSP and 2 routes (/test that injects the profiler and /test_dump that uses dump which should break the profiler)