[WebProfilerBundle] CSP still blocks style #20963
Labels
Comments
|
+1 |
|
Could you please provide the violation? |
|
@romainneutron I don't have this to hand and probably won't get chance to look at it for a few weeks. The CSP violation appears on pages rendering the toolbar (not the profiler pages themselves) that have a |
|
I just submitted a patch that solves your issue. Thanks for reporting |
fabpot
added a commit
that referenced
this issue
Mar 21, 2017
…ity in case of a `style-src 'self'` policy (romainneutron) This PR was merged into the 3.2 branch. Discussion ---------- [WebProfilerBundle] Fix Content-Security-Policy compatibility in case of a `style-src 'self'` policy | Q | A | ------------- | --- | Branch? | 3.2 <!-- see comment below --> | Bug fix? | yes | New feature? | no <!-- don't forget updating src/**/CHANGELOG.md files --> | BC breaks? | no | Deprecations? | no <!-- don't forget updating UPGRADE-*.md files --> | Tests pass? | yes | Fixed tickets | #22053 #20963 | License | MIT This fixes the compatibility of the bundle in case of a `style-src 'self'` policy. This PR must be rebased once #22089 is merged Commits ------- 4acec89 [WebProfilerBundle] Fix content-security-policy compatibility
That looks like what I did locally when testing, so should solve the problem for me. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Unless I'm missing something #18568 doesn't fully fix the compatibility of the toolbar with content security policy, JS works fine but the toolbar CSS is blocked.
The reason is the CSS is injected from an XHR request and so has a different nonce than the one set in the CSP header.
A solution that works is to move the CSS into the
toolbar_js.html.twigview.I've prepared a branch with a few test actions to illustrate the problem:
symfony/symfony-standard@master...cs278:broken-csp
The text was updated successfully, but these errors were encountered: