Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

[WebProfilerBundle] Handle 'unsafe-eval' in CSP #27525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

[WebProfilerBundle] Handle 'unsafe-eval' in CSP #27525

wants to merge 1 commit into from

Conversation

herndlm
Copy link
Contributor

@herndlm herndlm commented Jun 6, 2018

In base_js_html.twig eval is used but the ContentSecurityPolicyHandler never adds 'unsafe-eval' to the nonce which breaks the profiler with very strict CSPs

Q A
Branch? 3.3 - 4.1
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets #...
License MIT
Doc PR symfony/symfony-docs#...

I was using the profiler bundle with the very strict CSP "default-src 'self'; script-src 'self';" and the browser was not loading the toolbar because of CSP violations.

This change uses already existing functionality and loops through source values ("unsafe-inline" and "unsafe-eval") where before just "unsafe-inline" was used. I also adapted the unit tests for it, added new tests for edge cases and my case that failed. I honestly don't know if this is the best way to fix them / handle unsafe-eval, but this seems to be working fine for me.

@stof
Copy link
Member

stof commented Jun 6, 2018

your change is broken here. The handling of unsafe-evalis totally different from the handling of unsafe-inline:

  • allowing it does not involve dealing with nonces (a nonce will not allow evaling). So your authorizes implementation does not work well for eval (I suggest keeping the detection separate too)
  • it does not apply to the style-src rule

So you should handle it separately instead of looping over unsafe-inline and unsafe-eval.

On a side note, this should go in 3.4, not in 3.3 as this is not a security fix: https://symfony.com/roadmap/3.3

@herndlm
Copy link
Contributor Author

herndlm commented Jun 6, 2018

I see, I was not thinking that through..

So it cannot easily be "fixed" via nonce but just globally enabled instead which I also don't like (CSP errors not noticed in dev environment). Maybe the eval is now called in my case because of 0cd51ae

@nicolas-grekas nicolas-grekas added this to the 3.4 milestone Jun 6, 2018
@stof
Copy link
Member

stof commented Jun 6, 2018

The drawback of injecting unsafe-eval in the CSP is that any other eval violation would not be catched in dev environments (due to being forced as allowed by this change).

I think the only place where we use eval is in the debug panel. We might want to refactor it to stop using eval.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants
Morty Proxy This is a proxified and sanitized view of the page, visit original site.