8000 [WebProfiler] Do not add src-elem CSP directives if they do not exist · symfony/symfony@d9c4708 · GitHub
[go: up one dir, main page]
Skip to content

Commit d9c4708

Browse files
ndenchnicolas-grekas
ndench
authored and
nicolas-grekas
committed
[WebProfiler] Do not add src-elem CSP directives if they do not exist
1 parent bb77914 commit d9c4708

File tree

2 files changed

+22
-8
lines changed

2 files changed

+22
-8
lines changed

src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php

Lines changed: 14 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -133,12 +133,11 @@ private function updateCspHeaders(Response $response, array $nonces = [])
133133
continue;
134134
}
135135
if (!isset($headers[$header][$type])) {
136-
if (isset($headers[$header]['default-src'])) {
137-
$headers[$header][$type] = $headers[$header]['default-src'];
138-
} else {
139-
// If there is no script-src/style-src and no default-src, no additional rules required.
136+
if (null === $fallback = $this->getDirectiveFallback($directives, $type)) {
140137
continue;
141138
}
139+
140+
$headers[$header][$type] = $fallback;
142141
}
143142
$ruleIsSet = true;
144143
if (!\in_array('\'unsafe-inline\'', $headers[$header][$type], true)) {
@@ -218,9 +217,7 @@ private function authorizesInline(array $directivesSet, $type)
218217
{
219218
if (isset($directivesSet[$type])) {
220219
$directives = $directivesSet[$type];
221-
} elseif (isset($directivesSet['default-src'])) {
222-
$directives = $directivesSet['default-src'];
223-
} else {
220+
} elseif (null === $directives = $this->getDirectiveFallback($directivesSet, $type)) {
224221
return false;
225222
}
226223

@@ -244,6 +241,16 @@ private function hasHashOrNonce(array $directives)
244241
return false;
245242
}
246243

244+
private function getDirectiveFallback(array $directiveSet, $type)
245+
{
246+
if (\in_array($type, ['script-src-elem', 'style-src-elem'], true) || !isset($directiveSet['default-src'])) {
247+
// Let the browser fallback on it's own
248+
return null;
249+
}
250+
251+
return $directiveSet['default-src'];
252+
}
253+
247254
/**
248255
* Retrieves the Content-Security-Policy headers (either X-Content-Security-Policy or Content-Security-Policy) from
249256
* a response.

src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -131,7 +131,14 @@ public function provideRequestAndResponsesForOnKernelResponse()
131131
['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
132132
$this->createRequest(),
133133
$this->createResponse(['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'']),
134-
['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src-elem \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src-elem \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
134+
['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
135+
],
136+
[
137+
$nonce,
138+
['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
139+
$this->createRequest(),
140+
$this->createResponse(['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\'']),
141+
['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
135142
],
136143
[
137144
$nonce,

0 commit comments

Comments
 (0)
0