Description
WebProfilerBundle version(s) affected: 5.0.8 definitly, I assume 4.4.8 and 3.4.40 are affected as well.
Description
#36315 added support for style-src-elem and script-src-elem. However they are set to both unsafe-inline and nonce-. This is not allowed in Chrome: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-elem * 'unsafe-inline' 'nonce-597c34dd0a6b70c13de427990c2cfe3f'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
How to reproduce
Setup a new Smyfony 5 project, add nelmio/security-bundle and configure it to use default-src: *.
Alternatively create a controller that adds a CSP header:
$response->headers->add(['Content-Security-Policy' => 'default-src *']);
Any value other than unsafe-inline for default-src causes the bug.
Note that the incorrect headers are always send, but the error is only triggered if there is an inline style. Rendering the debug-bar will therefore cause the error.