Closed
Description
Symfony version(s) affected: 3.4.40
Description
The use of the 'none' token in a CSP policy causes ContentSecurityPolicyHandler to generate invalid CSP headers.
How to reproduce
Set a CSP policy of default-src 'none'; and ensure the web profiler is enabled.
$response->headers->set('Content-Security-Policy', "default-src 'none'")The following header will be sent to the client:
default-src 'none'; script-src 'none' 'unsafe-inline' 'nonce-123'; script-src-elem 'none' 'unsafe-inline' 'nonce-123'; style-src 'none' 'unsafe-inline' 'nonce-456'; style-src-elem 'none' 'unsafe-inline' 'nonce-456'
Chrome reports the following problems:
The source list for Content Security Policy directive 'script-src' contains an invalid source: ''none''. It will be ignored. Note that 'none' has no effect unless it is the only expression in the source list.
The source list for Content Security Policy directive 'script-src-elem' contains an invalid source: ''none''. It will be ignored. Note that 'none' has no effect unless it is the only expression in the source list.
The source list for Content Security Policy directive 'style-src' contains an invalid source: ''none''. It will be ignored. Note that 'none' has no effect unless it is the only expression in the source list.
The source list for Content Security Policy directive 'style-src-elem' contains an invalid source: ''none''. It will be ignored. Note that 'none' has no effect unless it is the only expression in the source list.
This problem also exists if you have a policy of style-src 'none' you end up with a policy like style-src 'none' 'unsafe-inline' 'nonce-789'.
Possible Solution
Remove the 'none' token when appending additional tokens.
Additional context
Found this while investigating a regression #36643