When script-src is set to strict-dynamic, 2 nonces are listed in CSP header #336
Comments
|
the unsafe-inline is just for compatibility with older browsers not supporting nonces. The two nonces I'm not sure why, maybe you used csp_nonse twice with different arguments? Try to check in the html source where the two nonce values are being used? |
|
Are you using the Web Debug Toolbar? Symfony adds a second nonce in the WebProfilerBundle to ensure the debug toolbar works correctly. In your screenshot, the first nonce is base64-encoded (encoding used by NelmioSecurityBundle), while the second nonce is hex-encoded (encoding used by WebProfilerBundle). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the nelmio_security.yaml csp section, we have set script-src to 'strict-dynamic' (while commenting out unsafe-inline), and we are invoking csp_nonce('script') in target pages.
When doing so, the Content-Security-Policy header for requested pages lists script-src as 'unsafe-inline' as well as 'strict-dynamic', and two nonces are listed.
Is there a reason for two nonces in this scenario?
The text was updated successfully, but these errors were encountered: