Hi,
Long story short, config:
nelmio_security:
# signs/verifies all cookies
# signed_cookie:
# names: ["*"]
# hash_algo: sha512 # defaults to sha256, see ``hash_algos()`` for available algorithms
# prevents framing of the entire site
clickjacking:
paths:
"^/.*": DENY
content_types: []
hosts: []
# prevents redirections outside the website's domain
external_redirects:
abort: true
log: true
# prevents inline scripts, unsafe eval, external scripts/images/styles/frames, etc
csp:
report_endpoint:
filters:
# Filter false positive reports given a domain list
domains: true
# Filter false positive reports given a scheme list
schemes: true
# Filter false positive reports given known browser bugs
browser_bugs: true
# Filter false positive reports given known injected scripts
injected_scripts: true
# You can add you custom filter rules by implementing Nelmio\SecurityBundle\ContentSecurityPolicy\Violation\Filter\NoiseDetectorInterface
# and tag the service with "nelmio_security.csp_report_filter"
dismiss:
# A list of key-values that should be dismissed
# A key is either a domain or a regular expression
# A value is a source or an array of source. The '*' wilcard is accepted
"/^data:/": "script-src"
hosts: []
content_types: []
enforce:
level1_fallback: false
browser_adaptive:
enabled: false
default-src:
- "self"
script-src:
- "self"
object-src:
- "self"
style-src:
- "self"
- "unsafe-inline"
img-src:
- "self"
- "data:" # Allow data URIs for inline images
#media-src:
frame-src:
- "self"
#font-src:
#connect-src:
#base-uri:
#child-src:
#form-action:
#frame-ancestors:
#plugin-types:
#manifest-src:
block-all-mixed-content: true # defaults to false, blocks HTTP content over HTTPS transport
# upgrade-insecure-requests: true # defaults to false, upgrades HTTP requests to HTTPS transport
hash:
algorithm: sha512 # default is sha256, available are sha256, sha384 and sha512
# disables content type sniffing for script resources
content_type:
nosniff: true
# Send a full URL in the ``Referer`` header when performing a same-origin request,
# only send the origin of the document to secure destination (HTTPS->HTTPS),
# and send no header to a less secure destination (HTTPS->HTTP).
# If ``strict-origin-when-cross-origin`` is not supported, use ``no-referrer`` policy,
# no referrer information is sent along with requests.
referrer_policy:
enabled: true
policies:
- "no-referrer"
- "strict-origin-when-cross-origin"
# forces HTTPS handling, don't combine with flexible mode
# and make sure you have SSL working on your site before enabling this
# forced_ssl:
# hsts_max_age: 2592000 # 30 days
# hsts_subdomains: true
# redirect_status_code: 302 # default, switch to 301 for permanent redirects
# flexible HTTPS handling, read the detailed config info
# and make sure you have SSL working on your site before enabling this
# flexible_ssl:
# cookie_name: auth
# unsecured_logout: false
Inline style:
{% cspstyle %}
<style nonce="{{ csp_nonce('style') }}">
...
</style>
{% endcspstyle %}
Result:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' 'sha512-v4ZeP6uuC0K26F3RLHMYCsgM4AZkGfutftRoL9hMW/7xnvn9b0RoolnQ7agfx3jXzlQRplB9BLUNB/dY9WPzeQ==' 'nonce-JMhFGaeQZZbGpG0cABInKQ==' 'nonce-673f0b459a7835555de9242223b43626'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
What's the solution for this?
Thanks
Hi,
Long story short, config:
Inline style:
Result:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' 'sha512-v4ZeP6uuC0K26F3RLHMYCsgM4AZkGfutftRoL9hMW/7xnvn9b0RoolnQ7agfx3jXzlQRplB9BLUNB/dY9WPzeQ==' 'nonce-JMhFGaeQZZbGpG0cABInKQ==' 'nonce-673f0b459a7835555de9242223b43626'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
What's the solution for this?
Thanks