unsafe-eval required in content security policy for profiling toolbar in Symfony 4.1 #27583
Comments
|
@ogizanagi the change in this commit is that the |
|
Ah yes, checking if there are any scripts and only run |
|
@stof cool, thanks! |
fabpot
added a commit
that referenced
this issue
Jun 13, 2018
… toolbar (stof) This PR was merged into the 4.1 branch. Discussion ---------- Avoid calling eval when there is no script embedded in the toolbar | Q | A | ------------- | --- | Branch? | 4.1 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #27583 | License | MIT | Doc PR | n/a #27189 changed the way embedded scripts were eval'd for the toolbar. But it also refactored the code in a way triggering `eval` all the time, even when there is no embedded script, which was reported several times as an issue with CSP. While the debug panel (showing dumps) still requires having `unsafe-eval` in the CSP header (due to embedding scripts that we eval), this PR reverts back to the behavior of Symfony 4.0 and older, where only toolbars actually embedding scripts have this CSP compat issue. Commits ------- a0f78a5 Avoid calling eval when there is no script embedded in the toolbar
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Symfony version(s) affected: 4.1.0
Description
Commit 0cd51ae added a call to Javascript's
evalfunction, which is not allowed under a strict content security policy. We have this strict policy on development as well in production because we don't want to find out about CSP violations in production only.How to reproduce
Open a webpage with the Symfony profiling toolbar while CSP is enabled and
unsafe-evalis not allowedPossible Solution
It would be best if
evalwouldn't be needed at all, but I'm not sure if that's an optionThe text was updated successfully, but these errors were encountered: