[WebProfiler] Remove 'none' when appending CSP tokens

ndench · ndench · commit 967bc4a860b7 · 2020-05-12T17:24:37.000+10:00
diff --git a/src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php b/src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php
@@ -133,6 +133,12 @@ private function updateCspHeaders(Response $response, array $nonces = []): array
                         continue;
                     }
 
+                    if (['\'none\''] === $fallback) {
+                        // Fallback came from "default-src: 'none'"
+                        // 'none' is invalid if it's not the only expression in the source list, so we leave it out
+                        $fallback = [];
+                    }
+
                     $headers[$header][$type] = $fallback;
                 }
                 $ruleIsSet = true;
diff --git a/src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php b/src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php
@@ -140,6 +140,13 @@ public function provideRequestAndResponsesForOnKernelResponse()
                 $this->createResponse(['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\'']),
                 ['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
             ],
+            [
+                $nonce,
+                ['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
+                $this->createRequest(),
+                $this->createResponse(['Content-Security-Policy' => 'default-src \'none\'', 'Content-Security-Policy-Report-Only' => 'default-src \'none\'']),
+                ['Content-Security-Policy' => 'default-src \'none\'; script-src \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'none\'; script-src \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
+            ],
             [
                 $nonce,
                 ['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],

Original file line number	Diff line number	Diff line change
`@@ -133,6 +133,12 @@ private function updateCspHeaders(Response $response, array $nonces = []): array`
`133`	`133`	`continue;`
`134`	`134`	`}`
`135`	`135`
	`136`	`+ if (['\'none\''] === $fallback) {`
	`137`	`+ // Fallback came from "default-src: 'none'"`
	`138`	`+ // 'none' is invalid if it's not the only expression in the source list, so we leave it out`
	`139`	`+ $fallback = [];`
	`140`	`+ }`
	`141`	`+`
`136`	`142`	`$headers[$header][$type] = $fallback;`
`137`	`143`	`}`
`138`	`144`	`$ruleIsSet = true;`