When script-src is set to strict-dynamic, 2 nonces are listed in CSP header

nelmio / NelmioSecurityBundle

Adds extra security-related features in your Symfony application

https://symfony.com/bundles/NelmioSecurityBundle/

MIT License

651 stars 85 forks source link

When script-src is set to strict-dynamic, 2 nonces are listed in CSP header #336

Open eliseeman opened 8 months ago

eliseeman commented 8 months ago

In the nelmio_security.yaml csp section, we have set script-src to 'strict-dynamic' (while commenting out unsafe-inline), and we are invoking csp_nonce('script') in target pages. yaml When doing so, the Content-Security-Policy header for requested pages lists script-src as 'unsafe-inline' as well as 'strict-dynamic', and two nonces are listed. csp Is there a reason for two nonces in this scenario?

Seldaek commented 8 months ago

the unsafe-inline is just for compatibility with older browsers not supporting nonces. The two nonces I'm not sure why, maybe you used csp_nonse twice with different arguments? Try to check in the html source where the two nonce values are being used?

micheh commented 2 months ago

Are you using the Web Debug Toolbar? Symfony adds a second nonce in the WebProfilerBundle to ensure the debug toolbar works correctly.

In your screenshot, the first nonce is base64-encoded (encoding used by NelmioSecurityBundle), while the second nonce is hex-encoded (encoding used by WebProfilerBundle).