Can't seem to enable/disable CSP with environment variable

Question

Can't seem to enable/disable CSP with environment variable

Opened this issue a month ago · 0 comments

I'd like to be able to easily toggle CSP on/off, and also have my templates aware of the setting, so I can conditionally include content when needed. I tried making an environment variable for this, but for some reason CSP is always enabled.

What I've got so far:

.env

APP_CSP_ENABLED=1

.env.local

APP_CSP_ENABLED=0

services.yaml

parameters:
    app.csp_enabled: '%env(bool:APP_CSP_ENABLED)%'

nelmio_security.yaml

nelmio_security:
    csp:
        enabled: '%app.csp_enabled%'

twig.yaml

twig:
    globals:
        csp_enabled: '%app.csp_enabled%'

With the configuration above, I can write the following logic in my templates and it works as expected:

{% if csp_enabled %}
    {% cspscript %}
    {% set nonce = csp_nonce('script') %}
    {# etc. #}
{% endif %}

If I toggle between APP_CSP_ENABLED=0 and APP_CSP_ENABLED=1 then the csp_enabled global Twig variable updates as expected, and the correct logic is executed in templates. I can verify the correct value is set with dump(csp_enabled) and it is always true or false as expected.

However, the bundle always outputs CSP headers as though the enabled setting was true.

If I set enabled: false then it will be disabled as expected, so there is nothing else overriding this setting elsewhere. But setting enabled: '%app.csp_enabled%' makes it always enabled.

I've deleted my cache, but that doesn't change anything.

I tried changing the config to refer to the environment variable directly with enabled: '%env(bool:APP_CSP_ENABLED)%' but that doesn't change anything.

What am I missing here?