Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VarDumper returns inline <script> and <style> tags, which cause content security policy failures #51692

Closed
Yannik opened this issue Sep 19, 2023 · 5 comments
Closed

VarDumper returns inline <script> and <style> tags, which cause content security policy failures #51692

Yannik opened this issue Sep 19, 2023 · 5 comments
Labels
Bug

Comments

@Yannik
Copy link

Yannik commented Sep 19, 2023

Symfony version(s) affected

latest

Description

Symfony\Component\VarDumper\Dumper\HtmlDumper returns inline <script> tags in both getDumpHeader() and dumpLine() functions. On a site with a content security policy, this leads to csp errors.

How to reproduce

<?php
use Symfony\Component\VarDumper\Dumper\HtmlDumper;

/**
 * We have to extend the base HtmlDumper class in order to get access to the protected-only
 * getDumpHeader function.
 */
class DebugBarHtmlDumper extends HtmlDumper
{
    public function getDumpHeaderByDebugBar() {
        // getDumpHeader is protected:
        return $this->getDumpHeader();
    }
}

$dumper = new DebugBarHtmlDumper;
echo $dumper->getDumpHeaderByDebugBar();

results in <script> Sfdump = window.Sfdump || (function (doc) { doc.documentElement.classList.add('sf-js-enabled'); var rxEsc = /([.*+?^${}()|\[\]\/\\])/g, idRx = /\bsf-dump-\d+-ref[012]\w+\b/, keyHint = 0 <= navigator.platform.toUpperCase().indexOf('MAC') ? 'Cmd' : 'Ctrl', addEventListener.....

Possible Solution

To fix this, I can see two options (IMO, it makes sense to implement both)

  • provide the getDumpHeader() <script> and <style> elements as .js and .css files, so they can be included without triggering CSP errors (using elements). For the individual dumpLine() elements, the <script> element is not really necessary, the Sfdump call can also be achieved by using the main javascript.
  • allow to provide a nonce for the script/style elements

Additional Context

No response
@Yannik Yannik added the Bug label Sep 19, 2023
@javiereguiluz
Copy link
Member

Yannik, thanks for reporting this issue. A few months ago, we received a report about the same error in #49068. So, we're closing this issue as a duplicate of the earlier issue. Thanks!

@Yannik
Copy link
Author

Yannik commented Sep 25, 2023

Hi @javiereguiluz

The bug you mention is only about style-src violations due to inline css. My bug is also about script-src and <style> elements.

@javiereguiluz javiereguiluz mentioned this issue Sep 25, 2023
Open
@javiereguiluz
Copy link
Member

Thanks! I added a comment in #49068 to also include the two script-src and <style> elements that you mentioned.

@Yannik
Copy link
Author

Yannik commented Sep 25, 2023

Thanks @javiereguiluz

@damienfa

This comment was marked as duplicate.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@javiereguiluz @Yannik @damienfa