Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexpecting appearance of unsafe-inline on CSP #346

Open
spyridonas opened this issue May 29, 2024 · 4 comments
Open

Unexpecting appearance of unsafe-inline on CSP #346

spyridonas opened this issue May 29, 2024 · 4 comments

Comments

@spyridonas
Copy link

Hello,
I believe i have found a bug, or that my knowledge of CSP is lacking.
Given the following csp configuration:

    csp:
        enforce:
            level1_fallback: false
            browser_adaptive:
                enabled: false
            connect-src:
                - 'self'

The content security policy correctly show the connect-src policy only.

If i add the same thing on default-src, making the configuration look like this:

    csp:
        enforce:
            level1_fallback: false
            browser_adaptive:
                enabled: false
            connect-src:
                - 'self'
            default-src:
                - 'self'

Then the response includes unsafe-inline as well.
Is this a known issue ? Or is it expected behaviour ?
@martijnc
Copy link
Contributor

The bundle only injects unsafe-inline automatically when you use nonces or hashes and level1_fallback is set to true. This is done in DirectiveSet::buildHeaderValue. With your example, the bundle should not include unsafe-inline

Some bundles (like the Symfony WebprofilerBundle) modify the CSP headers to include their own nonces/hashes (along with unsafe-inline for older browsers). Maybe this is what's happening here?

Can you check if the generated header value in ContentSecurityPolicyListener::buildHeaders is incorrect in your application?

@spyridonas
Copy link
Author

spyridonas commented Jun 4, 2024
edited
Loading

@martijnc
I do utilize nonces, but as you can see from the example the level1_fallback is set to false.
The issue appeared on the staging of our app, where the symfony is running under 'production' mode (APP_ENV=prod) and without any dev dependencies installed/running (such as WebprofilerBundle).
I will look at the ContentSecurityPolicyListener::buildHeaders output and report back

@Seldaek
Copy link
Member

Seldaek commented Jun 27, 2024

I am not sure why it's being injected right now, I'd have to check too, but note that unsafe-inline is ignored if a nonce or a hash is present (with browsers supporting CSP2 and above). So it is completely safe.

@mbrodala
Copy link

mbrodala commented Aug 2, 2024
edited
Loading

One option would be symfony/web-profiler-bundle:

https://github.com/symfony/web-profiler-bundle/blob/b9357f73d2c14dcd36783a67386f510654828668/Csp/ContentSecurityPolicyHandler.php#L152

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Seldaek @martijnc @spyridonas @mbrodala