Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

[WebProfilerBundle] Inject "unsafe-eval" into the CSP if the VarDumper is used #29084

Copy link
Copy link
Closed
@herndlm

Description

@herndlm
Issue body actions

Description
When using a very strict CSP that forbids unsafe-eval and unsafe-inline it is currently not possible to use dump() because the profiler toolbar breaks. This is because it needs to evaluate JS that is embedded inside of it via Collectors which is not easy to refactor (#27588).
This feature request suggests that in the ContentSecurityPolicyHandler unsafe-eval is injected if the dumper was used in the current HTTP request. This is a small and simple extension to #18568 and avoids the problem that come with setting unsafe-eval all the time in the dev environment just for using the dumper from time to time.

Example
Create a simple ResponseSubscriber that sets the following header:
"Content-Security-Policy: script-src 'self'"
When using dump() in e.g. a Controller the ContentSecurityPolicyHandler is correctly creating nonces for inline JS, but it is current not setting unsafe-eval in the CSP which leads to errors and the toolbar not displaying because it cannot evaluate its embedded JS. The profiler is not affected. The JS in the dumper is just needed to collapse elements, but it cannot be easily reused because of its dynamic nature.
Update: Added Simple Symfony 5 project https://github.com/monojp/symfony_security_csp with strictest CSP and 2 routes (/test that injects the profiler and /test_dump that uses dump which should break the profiler)

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      Morty Proxy This is a proxified and sanitized view of the page, visit original site.