Description
Symfony version(s) affected: 3.4 and 4.2.2
Description
When trying to add some simple CSP headers, the dump panel of the toolbar seems to break. I found this bug report #29155 but it seems to be a different problem as the suggested directive "unsafe-eval" in the script-src part is already included in the CSP header.
The bug seems to be in the VarDumper component or more precisely the HtmlDumper class as it inserts some style and script tags without the nonces. The "unsafe-inline" part is ignored when a nonce is supplied.
How to reproduce
I've created a small repo to reproduce this bug: https://github.com/izzyu91/symfony-toolbar-csp
Additional context
Error from the browser console:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' 'nonce-1cd6e14ffe406b1ddd9c705d3797d549'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.