You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'd like to be able to easily toggle CSP on/off, and also have my templates aware of the setting, so I can conditionally include content when needed. I tried making an environment variable for this, but for some reason CSP is always enabled.
With the configuration above, I can write the following logic in my templates and it works as expected:
{% if csp_enabled %}
{% cspscript %}
{% set nonce = csp_nonce('script') %}
{# etc. #}
{% endif %}
If I toggle between APP_CSP_ENABLED=0 and APP_CSP_ENABLED=1 then the csp_enabled global Twig variable updates as expected, and the correct logic is executed in templates. I can verify the correct value is set with dump(csp_enabled) and it is always true or false as expected.
However, the bundle always outputs CSP headers as though the enabled setting was true.
If I set enabled: false then it will be disabled as expected, so there is nothing else overriding this setting elsewhere. But setting enabled: '%app.csp_enabled%' makes it always enabled.
I've deleted my cache, but that doesn't change anything.
I tried changing the config to refer to the environment variable directly with enabled: '%env(bool:APP_CSP_ENABLED)%' but that doesn't change anything.
What am I missing here?
The text was updated successfully, but these errors were encountered:
I'd like to be able to easily toggle CSP on/off, and also have my templates aware of the setting, so I can conditionally include content when needed. I tried making an environment variable for this, but for some reason CSP is always enabled.
What I've got so far:
.env
.env.local
services.yaml
nelmio_security.yaml
twig.yaml
With the configuration above, I can write the following logic in my templates and it works as expected:
If I toggle between
APP_CSP_ENABLED=0andAPP_CSP_ENABLED=1then thecsp_enabledglobal Twig variable updates as expected, and the correct logic is executed in templates. I can verify the correct value is set withdump(csp_enabled)and it is always true or false as expected.However, the bundle always outputs CSP headers as though the enabled setting was true.
If I set
enabled: falsethen it will be disabled as expected, so there is nothing else overriding this setting elsewhere. But settingenabled: '%app.csp_enabled%'makes it always enabled.I've deleted my cache, but that doesn't change anything.
I tried changing the config to refer to the environment variable directly with
enabled: '%env(bool:APP_CSP_ENABLED)%'but that doesn't change anything.What am I missing here?
The text was updated successfully, but these errors were encountered: