Unexpecting appearance of unsafe-inline on CSP

[spyridonas]

Hello,
I believe i have found a bug, or that my knowledge of CSP is lacking.
Given the following csp configuration:

    csp:
        enforce:
            level1_fallback: false
            browser_adaptive:
                enabled: false
            connect-src:
                - 'self'

The content security policy correctly show the connect-src policy only.

If i add the same thing on default-src, making the configuration look like this:

    csp:
        enforce:
            level1_fallback: false
            browser_adaptive:
                enabled: false
            connect-src:
                - 'self'
            default-src:
                - 'self'

Then the response includes unsafe-inline as well.
Is this a known issue ? Or is it expected behaviour ?

[martijnc]

The bundle only injects unsafe-inline automatically when you use nonces or hashes and level1_fallback is set to true. This is done in DirectiveSet::buildHeaderValue. With your example, the bundle should not include unsafe-inline

Some bundles (like the Symfony WebprofilerBundle) modify the CSP headers to include their own nonces/hashes (along with unsafe-inline for older browsers). Maybe this is what's happening here?

Can you check if the generated header value in ContentSecurityPolicyListener::buildHeaders is incorrect in your application?

[spyridonas]

@martijnc
I do utilize nonces, but as you can see from the example the level1_fallback is set to false.
The issue appeared on the staging of our app, where the symfony is running under 'production' mode (APP_ENV=prod) and without any dev dependencies installed/running (such as WebprofilerBundle).
I will look at the ContentSecurityPolicyListener::buildHeaders output and report back

[Seldaek]

I am not sure why it's being injected right now, I'd have to check too, but note that unsafe-inline is ignored if a nonce or a hash is present (with browsers supporting CSP2 and above). So it is completely safe.

[mbrodala]

One option would be symfony/web-profiler-bundle:

https://github.com/symfony/web-profiler-bundle/blob/b9357f73d2c14dcd36783a67386f510654828668/Csp/ContentSecurityPolicyHandler.php#L152