Nonce not possible to use

[Mecanik]

Hi,

Long story short, config:

nelmio_security:
  # signs/verifies all cookies
  # signed_cookie:
  #   names: ["*"]
  #   hash_algo: sha512 # defaults to sha256, see ``hash_algos()`` for available algorithms

  # prevents framing of the entire site
  clickjacking:
    paths:
      "^/.*": DENY
    content_types: []
    hosts: []

  # prevents redirections outside the website's domain
  external_redirects:
    abort: true
    log: true

  # prevents inline scripts, unsafe eval, external scripts/images/styles/frames, etc
  csp:
    report_endpoint:
      filters:
        # Filter false positive reports given a domain list
        domains: true
        # Filter false positive reports given a scheme list
        schemes: true
        # Filter false positive reports given known browser bugs
        browser_bugs: true
        # Filter false positive reports given known injected scripts
        injected_scripts: true
        # You can add you custom filter rules by implementing Nelmio\SecurityBundle\ContentSecurityPolicy\Violation\Filter\NoiseDetectorInterface
        # and tag the service with "nelmio_security.csp_report_filter"
      dismiss:
        # A list of key-values that should be dismissed
        # A key is either a domain or a regular expression
        # A value is a source or an array of source. The '*' wilcard is accepted
        "/^data:/": "script-src"
    hosts: []
    content_types: []
    enforce:
      level1_fallback: false
      browser_adaptive:
        enabled: false
      default-src:
        - "self"
      script-src:
        - "self"
      object-src:
        - "self"
      style-src:
        - "self"
        - "unsafe-inline"
      img-src:
        - "self"
        - "data:" # Allow data URIs for inline images
      #media-src:
      frame-src:
        - "self"
      #font-src:
      #connect-src:
      #base-uri:
      #child-src:
      #form-action:
      #frame-ancestors:
      #plugin-types:
      #manifest-src:

      block-all-mixed-content: true # defaults to false, blocks HTTP content over HTTPS transport
      # upgrade-insecure-requests: true # defaults to false, upgrades HTTP requests to HTTPS transport
    hash:
      algorithm: sha512 # default is sha256, available are sha256, sha384 and sha512

  # disables content type sniffing for script resources
  content_type:
    nosniff: true

  # Send a full URL in the ``Referer`` header when performing a same-origin request,
  # only send the origin of the document to secure destination (HTTPS->HTTPS),
  # and send no header to a less secure destination (HTTPS->HTTP).
  # If ``strict-origin-when-cross-origin`` is not supported, use ``no-referrer`` policy,
  # no referrer information is sent along with requests.
  referrer_policy:
    enabled: true
    policies:
      - "no-referrer"
      - "strict-origin-when-cross-origin"

  # forces HTTPS handling, don't combine with flexible mode
  # and make sure you have SSL working on your site before enabling this
#    forced_ssl:
#        hsts_max_age: 2592000 # 30 days
#        hsts_subdomains: true
#        redirect_status_code: 302 # default, switch to 301 for permanent redirects

# flexible HTTPS handling, read the detailed config info
# and make sure you have SSL working on your site before enabling this
#    flexible_ssl:
#        cookie_name: auth
#        unsecured_logout: false

Inline style:

{% cspstyle %}
<style nonce="{{ csp_nonce('style') }}">
...
</style>
{% endcspstyle %}

Result:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' 'sha512-v4ZeP6uuC0K26F3RLHMYCsgM4AZkGfutftRoL9hMW/7xnvn9b0RoolnQ7agfx3jXzlQRplB9BLUNB/dY9WPzeQ==' 'nonce-JMhFGaeQZZbGpG0cABInKQ==' 'nonce-673f0b459a7835555de9242223b43626'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

What's the solution for this?

Thanks

[Mecanik]

From what I am seeing, the none is not injected into the HTML: <style nonce="">, using Symfony 7.2.*