How to set the parameter $reportOnly in the buildHeaders to false in the class ContentSecurityPolicyListener?

Question

How to set the parameter $reportOnly in the buildHeaders to false in the class ContentSecurityPolicyListener?

HVSoftware opened this issue 6 years ago · 1 comments

We want to enforce Content Security Policy in our application and we do not want reporting.
For this reason we pass the $enforce directive to the ContentSecurityPolicyListener constructor.

Only when I look to the headers in my browser (F12 dev tools) is see two rows:

Content-Security-Policy: default-src .... (We want this one)
Content-Security-Policy-Report-Only: report-uri /csp/report

I do not want to see the second Report-Only row. I want to remove this, only this is not possible within the class. Inside the class the buildHeaders method is called with a fixed value.

        $response->headers->add($this->buildHeaders($request, $this->report, **true**, $this->compatHeaders, $signatures));
        $response->headers->add($this->buildHeaders($request, $this->enforce, **false**, $this->compatHeaders, $signatures));

Is there a way to by-pass this? Is there a way to set this value to false? It's difficult to inherit the class. I need so advice!

Answer 1 · 2019-01-25T12:14:52.000Z

I found the solution after browsing the closed issues.

I only had to removed the report-uri from the report in my config.yml

nelmio_security:
    csp:
        enforce:
            level1_fallback: false # MUST NOT be allowed to prevent security risks
        report:
            level1_fallback: true # SHOULD be allowed to prevent negative positives
#            report-uri: "%router.request_context.base_url%/csp/report"