Closed
Description
Symfony version(s) affected
4.4 5.4 6.0 6.1
Description
My webserver (nginx, but I guess it doesn't matter) is configured with a strict CSP that allows only self and nonces.
All is fine when I browse pages, since the web debug toolbar is correctly rendered with proper nonces.
The problem is when I click on WDT to open the profiler: here the style and the script are blocked.
I see that, actually, the template of profiler is not using nonces at all.
How to reproduce
Use a nginx config like this one:
server {
server_name foobar.localhost;
root /myproject/public;
location / {
try_files $uri /index.php$is_args$args;
}
location ~ ^/index\.php(/|$) {
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_param HTTP_X_SYMFONYPROFILER_SCRIPT_NONCE $request_id;
fastcgi_param HTTP_X_SYMFONYPROFILER_STYLE_NONCE $request_id;
}
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'nonce-$request_id'; script-src 'self' 'nonce-$request_id'";
}
try to access the profiler on /_profiler URL.
Possible Solution
Using the same variables (csp_script_nonce and csp_style_nonce) currently used for WDT.
Additional Context
No response