[Asset-Mapper] Errors with the mapper when using CSP #52675
Labels
Comments
|
What is wrong with the downloaded shim? Could you elaborate a bit ? I'm presuming you are referencing the local polyfill ? For the CSP it's something that will be needed i agree, but i'd say it's more a "missing feature" than a bug :) |
|
Hi! I'd also love to know if: A) you're using the local polyfill Cheers! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Symfony version(s) affected
6.4.0-RC1
Description
When using CSP (like NelmioSecurityBundle) with Asset-Mapper, there's lot of blockage. Like need to open remote sites for scripts (when using the shim, and because the downloaded shim does't work), need to add unsafe-inline as it write JS in the html. By using 'unsafe-inline' or 'unsafe-eval' you're effectively disabling the XSS protection mechanism of CSP.
How to reproduce
Install NelmioSecurityBundle and start the CSP
Possible Solution
1- Have the same version of the shim downloaded.
2- We need to add nonce, to the script. Nonce that might need to be sync between Bundle.
Additional Context
No response
The text was updated successfully, but these errors were encountered: