Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

[VarDumper] Broken dump in toolbar #29919

Copy link
Copy link
Closed
@dschoschu

Description

@dschoschu
Issue body actions

Symfony version(s) affected: 3.4 and 4.2.2

Description
When trying to add some simple CSP headers, the dump panel of the toolbar seems to break. I found this bug report #29155 but it seems to be a different problem as the suggested directive "unsafe-eval" in the script-src part is already included in the CSP header.

The bug seems to be in the VarDumper component or more precisely the HtmlDumper class as it inserts some style and script tags without the nonces. The "unsafe-inline" part is ignored when a nonce is supplied.

How to reproduce
I've created a small repo to reproduce this bug: https://github.com/izzyu91/symfony-toolbar-csp

Additional context
Error from the browser console:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' 'nonce-1cd6e14ffe406b1ddd9c705d3797d549'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

Screenshot from the dump section:
bildschirmfoto 2019-01-17 um 14 58 35

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      Morty Proxy This is a proxified and sanitized view of the page, visit original site.