[WebProfilerBundle] [VarDumper] Inject "unsafe-eval" into the CSP if the VarDumper was used #29155
Conversation
|
Travis seems to be failing because it is not using my modified VarDumper. Should this be separated? |
|
Hello, what do you think of this change? @nicolas-grekas maybe? :) |
src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php
Outdated
Show resolved
Hide resolved
|
The static property which is never reset will not play well with cases like php-pm, which reuse the same process for multiple HTTP requests (dumping once will authorize |
|
Interesting, I have apparently not thought about that. I am not familiar with php-pm, do you have any suggestions to avoid that problem or when to clear the property? |
|
I have pushed a new solution which seems cleaner to me and I guess it should handle the php-pm problems better. Basically I extended the VarDumper so that it can call functions after dumping and use it to enable unsafe-eval in the CSP. This is set up in a request listener in WebDebugToolbarListener. I'm waiting for your input :) |
src/Symfony/Bundle/WebProfilerBundle/EventListener/WebDebugToolbarListener.php
Outdated
Show resolved
Hide resolved
src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php
Outdated
Show resolved
Hide resolved
|
Adapted a few small things and added more CSP edge cases. @stof What do you think? |
|
Any news on this? The missing rule makes our dumps unreadable in the toolbar as the missing CSS evaluation results in black-on-black rendering in our project. :( |
|
this PR conflicts with the current state of the branch. |
|
@stof PR is adapted |
|
Friendly request for a review :) What do you think? |
|
@nicolas-grekas @stof this is rebased on the current master, everything still applies, all tests are working and looking good. What do you think? |
Hi, thank you for the review and input! I pushed a new version which is using the handler only once and resetting it afterwards which is also covered by a test. |
src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php
Outdated
Show resolved
Hide resolved
src/Symfony/Bundle/WebProfilerBundle/EventListener/WebDebugToolbarListener.php
Show resolved
Hide resolved
|
@Simperfit done |
src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php
Outdated
Show resolved
Hide resolved
…the VarDumper was used
|
Did the requested changes by resetting evaluationEnabled at the end when updating the headers and adapted the tests for that, rebased on master as well. AppVeyor changes seem to be unrelated? (table from other components already existing in sqlite) |
| @@ -57,4 +65,12 @@ public static function setHandler(callable $callable = null) | |||
|
|
|||
| return $prevHandler; | |||
| } | |||
|
|
|||
| public static function setAfterDumpHandlerOnce(callable $callable = null) | |||
There was a problem hiding this comment.
this looks like something we'd better avoid IMHO.
I think it's fine if we call setEvaluationEnabled(true) all the time when dump() is called.
There was a problem hiding this comment.
Sorry for getting back in touch so late. I'm aware this a not-important edge-case and I actually needed this at my old company and currently I don't. Anyways but I still want to finish this :)
Do you mean to adapt this callback to be called every-time instead of that only once logic which simplifies it or something completely different?
|
I'm closing because the approach here is too invasive IMHO as it relies on global state. |
…nojp) This PR was squashed before being merged into the 5.3-dev branch. Discussion ---------- [WebProfilerBundle] Disable CSP if dumper was used | Q | A | ------------- | --- | Branch? | 5.x for features | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | Fix #29084 | License | MIT | Doc PR | - Disables a configured Content Security Policy if the dumper was used to avoid breaking the toolbar. This is a less invasive alternative to #29155 which fixes #29084 (there is a project with a test case linked there). Commits ------- 5dc2637 [WebProfilerBundle] Disable CSP if dumper was used
Adapts the VarDumper so that it accepts a callable which is called after something has been dumped. This can be used by the ContentSecurityPolicyHandler in the WebProfilerBundle to modify CSPs to allow unsafe-eval which is needed for the profiler toolbar to evaluate injected JS.
This is kind of a small feature/extension to #18568. I ommited the changelog and doc changes because of that but they can be added of course if needed.