Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.7k
Disable CSP header on exception pages only in debug#25933
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Same condition is used by default TwigBridge ExceptionControllerto evaluate if styled exception page is supposed to be shown.
fabpot commentedJan 26, 2018
Thank you@ostrolucky. |
…lucky)This PR was merged into the 2.7 branch.Discussion----------Disable CSP header on exception pages only in debug| Q | A| ------------- | ---| Branch? | 2.7| Bug fix? | yes| New feature? | no| BC breaks? | no| Deprecations? | no| Tests pass? | yes| Fixed tickets |#24772| License | MIT| Doc PR |Based on a feedback we received, there are situations on production when it's desired to have CSP header in place even if exception occurred.This uses now same condition that is used by ExceptionController in TwigBridge to evaluate if styled exception template is going to be shown, minus `showException` request attribute which don't make sense in this context, because it's used by PreviewController only and in such case this listener isn't triggered.Overriding CSP header via HTML meta tag unfortunately, but not surprisingly, doesn't work.Commits-------b77538c Disable CSP header on exception pages only in debug
stof commentedJan 29, 2018
That's logic: the meta tag can add a new header, not replace the HTTP headers. And the behavior of browsers when receiving multiple CSP headers is to apply all policies (making a AND between them). So a new header cannot disable the other ones. |
| { | ||
| protected$controller; | ||
| protected$logger; | ||
| protected$debug; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
should have been private (too bad that I see it justafter the release is done)
Uh oh!
There was an error while loading.Please reload this page.
Based on a feedback we received, there are situations on production when it's desired to have CSP header in place even if exception occurred.
This uses now same condition that is used by ExceptionController in TwigBridge to evaluate if styled exception template is going to be shown, minus
showExceptionrequest attribute which don't make sense in this context, because it's used by PreviewController only and in such case this listener isn't triggered.Overriding CSP header via HTML meta tag unfortunately, but not surprisingly, doesn't work.