Skip to content

[AssetMapper] Fix unable to use asset mapper with CSP #50456

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 30, 2023
Merged

[AssetMapper] Fix unable to use asset mapper with CSP #50456

merged 1 commit into from
May 30, 2023

Conversation

vtsykun
Copy link
Contributor

@vtsykun vtsykun commented May 28, 2023

Q A
Branch? 6.3
Bug fix? yes
New feature? yes-ish
Deprecations? -
Tickets -
License MIT
Doc PR -

Currently not possible to use AssetMapper with dynamic nonce attribute when a Content Security Policy is enabled (unsafe-inline restricted)

This PR allow to pass nonce attr to script tag. Example usage

{{ importmap('app', {'nonce': csp_nonce('script')}) }}

@carsonbot carsonbot added this to the 6.3 milestone May 28, 2023
@vtsykun vtsykun force-pushed the fix/assert-map-csp branch from 7c49bf1 to ccdfa22 Compare May 28, 2023 15:15
nicolas-grekas
nicolas-grekas reviewed May 29, 2023
View reviewed changes
@vtsykun vtsykun force-pushed the fix/assert-map-csp branch from ccdfa22 to 0a0a2c9 Compare May 29, 2023 13:13
weaverryan
weaverryan approved these changes May 29, 2023
View reviewed changes
Copy link
Member

@weaverryan weaverryan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A test would be great - but looks good and nice catch 👍

@fabpot
Copy link
Member

fabpot commented May 30, 2023

Thank you @vtsykun.

@fabpot fabpot merged commit 5bab536 into symfony:6.3 May 30, 2023
@fabpot fabpot mentioned this pull request May 30, 2023
Merged
@nicwortel nicwortel mentioned this pull request May 6, 2024
Merged
OskarStark added a commit to symfony/symfony-docs that referenced this pull request May 7, 2024
@OskarStark
minor #19865 [AssetMapper] Document how to make it work with a Conten…
40803b6 
…t Security Policy (nicwortel)

This PR was squashed before being merged into the 6.4 branch.

Discussion
----------

[AssetMapper] Document how to make it work with a Content Security Policy

Last week I converted a website from classic Webpack (without Encore) to AssetMapper and so far I'm impressed with how it simplifies asset management! 🎉 (thanks `@weaverryan`!)

One thing I had some difficulty with was to get it working with the website's [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP). Before the switch I only used static assets hosted on the same domain, but the importmap functionality relies on inline scripts - which are blocked by default when a CSP is configured.

I managed to get it working using a nonce, with the help of [NelmioSecurityBundle](https://symfony.com/bundles/NelmioSecurityBundle/current/index.html#nonce-for-inline-script-handling). The nonce is inserted into the `<script>` tags by passing it to the second argument of the `importmap()` function. This functionality was introduced in Symfony 6.3 by symfony/symfony#50456 for this exact use case, but has not been documented as far as I could find.

Commits
-------

19e4f28 [AssetMapper] Document how to make it work with a Content Security Policy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@weaverryan weaverryan weaverryan approved these changes

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

Assignees
No one assigned
Labels
AssetMapper Bug Feature Status: Reviewed
Projects
None yet
Milestone
6.3
Development

Successfully merging this pull request may close these issues.
5 participants
@vtsykun @fabpot @weaverryan @nicolas-grekas @carsonbot