search

nelmio / NelmioSecurityBundle

Adds extra security-related features in your Symfony application
https://symfony.com/bundles/NelmioSecurityBundle/
MIT License
651 stars 85 forks source link

Nonce is empty unless dump using twig #340

Closed vdeville closed 7 months ago

vdeville commented 7 months ago

Hello,

Today i tested to add inline-nonce to all scripts. In Production mode no problem, but in dev mode if i not do {% dump(csp_nonce('script')) %} all the script have empty nonce

Do you have any idea about this problem ?

Thanks

vdeville commented 7 months ago

Example in html:

Capture d’écran 2024-03-08 à 16 12 08

Incode: 

<script type="text/javascript" nonce="{{ csp_nonce('script') }}" nonceTest="{{ csp_nonce('script') }}">
vdeville commented 7 months ago

Do dump before this script in twig:

        {{ dump(csp_nonce('script')) }}
        <script type="text/javascript" nonce="{{ csp_nonce('script') }}" nonceTest="{{ csp_nonce('script') }}">

Result:

Capture d’écran 2024-03-08 à 16 14 02
Seldaek commented 7 months ago

This is normal https://stackoverflow.com/a/55673767/6512

You can check the view-source of the page to verify nonces, do not use the web inspector.

vdeville commented 7 months ago

Thanks for your reply, i don't really understand why in dev or prod env some scripts was not loaded or loaded, for example in dev mode googlemap put eval error in javascript, not in production (same config, same loaded url etc) Thanks