When script-src is set to strict-dynamic, 2 nonces are listed in CSP header

[eliseeman]

In the nelmio_security.yaml csp section, we have set script-src to 'strict-dynamic' (while commenting out unsafe-inline), and we are invoking csp_nonce('script') in target pages.

When doing so, the Content-Security-Policy header for requested pages lists script-src as 'unsafe-inline' as well as 'strict-dynamic', and two nonces are listed.

Is there a reason for two nonces in this scenario?

[Seldaek]

the unsafe-inline is just for compatibility with older browsers not supporting nonces. The two nonces I'm not sure why, maybe you used csp_nonse twice with different arguments? Try to check in the html source where the two nonce values are being used?

[micheh]

Are you using the Web Debug Toolbar? Symfony adds a second nonce in the WebProfilerBundle to ensure the debug toolbar works correctly.

In your screenshot, the first nonce is base64-encoded (encoding used by NelmioSecurityBundle), while the second nonce is hex-encoded (encoding used by WebProfilerBundle).