Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.7k
[WebProfiler] Remove 'none' when appending CSP tokens#36786
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
nicolas-grekas commentedMay 12, 2020 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Thank you@ndench |
ndench commentedMay 12, 2020
Yep, seems to work as expected for me. I'm unsure why aappveyor is failing though. The only issue I can see is if someone specifies |
fabpot commentedMay 13, 2020
Thank you@ndench. |
Uh oh!
There was an error while loading.Please reload this page.
@nicolas-grekas asked me to to have a look at this after#36678.
If a user has a CSP policy of
default-src 'none', then the WebProfiler copies'none'toscript-srcandstyle-srcthen adds other sources. This creates an invalid policy since'none'is only allowed when it's the only item in the source list.This will probably need to be merged into 3.4 first, I started on 4.4 so I can test in my current symfony project which requires 4.4.