I have a problem with Content Security Policy. Whenever I trying to include the JavaScript into my project, I get an content-security-policy error.
<!DOCTYPE html>
<html>
<head>
<title>Symfony</title>
<script src="{{ asset('myscript.js') }}"></script>
</head>
<body>
// ...
</body>
</html>
What am I doing wrong?
I've already tried with:
Header set Content-Security-Policy "script-src 'self';"<meta http-equiv="Content-Security-Policy" content="script-src 'self'">Okay, I found a solution. I added to my code an event subscriber, which sets the "Content-Security-Policy" header.
<?php
namespace AppBundle\Subscriber;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
use Symfony\Component\HttpKernel\KernelEvents;
/**
* Class ResponseSubscriber
* @package AppBundle\Subscriber
*/
class ResponseSubscriber implements EventSubscriberInterface
{
/** @inheritdoc */
public static function getSubscribedEvents()
{
return [
KernelEvents::RESPONSE => 'onResponse'
];
}
/**
* Callback function for event subscriber
* @param FilterResponseEvent $event
*/
public function onResponse(FilterResponseEvent $event)
{
$response = $event->getResponse();
$policy = "default-src 'self' 'unsafe-inline';"
. "script-src 'self' 'unsafe-inline'";
$response->headers->set("Content-Security-Policy", $policy);
$response->headers->set("X-Content-Security-Policy", $policy);
$response->headers->set("X-WebKit-CSP", $policy);
}
}
and
# app/config/services.yml
services:
# ...
app.responseSubscriber:
class: AppBundle\Subscriber\ResponseSubscriber
autowire: true