Skip to content

[AssetMapper] Document how to make it work with a Content Security Policy #19865

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 7, 2024
Merged

[AssetMapper] Document how to make it work with a Content Security Policy #19865

merged 1 commit into from
May 7, 2024

Conversation

nicwortel
Copy link
Contributor

Last week I converted a website from classic Webpack (without Encore) to AssetMapper and so far I'm impressed with how it simplifies asset management! 🎉 (thanks @weaverryan!)

One thing I had some difficulty with was to get it working with the website's Content Security Policy. Before the switch I only used static assets hosted on the same domain, but the importmap functionality relies on inline scripts - which are blocked by default when a CSP is configured.

I managed to get it working using a nonce, with the help of NelmioSecurityBundle. The nonce is inserted into the <script> tags by passing it to the second argument of the importmap() function. This functionality was introduced in Symfony 6.3 by symfony/symfony#50456 for this exact use case, but has not been documented as far as I could find.

@carsonbot
Copy link
Collaborator

Hey!

Oh no, it looks like you have made this PR towards a branch that is not maintained anymore. :/
Could you update the PR base branch to target one of these branches instead? 5.4, 6.4, 7.0, 7.1.

Cheers!

Carsonbot

@carsonbot carsonbot added this to the 6.3 milestone May 6, 2024
@nicwortel nicwortel changed the base branch from 6.3 to 6.4 May 6, 2024 18:50
@nicwortel nicwortel marked this pull request as draft May 6, 2024 18:51
@nicwortel nicwortel force-pushed the asset_mapper_csp branch from ee67304 to f117a41 Compare May 6, 2024 18:53
nicwortel
nicwortel commented May 6, 2024
View reviewed changes
nicwortel
nicwortel commented May 6, 2024
View reviewed changes
frontend/asset_mapper.rst

.. code-block:: html+twig

{{ importmap('app', {'nonce': csp_nonce('script')}) }}
Copy link
Contributor Author

@nicwortel nicwortel May 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The csp_nonce function is unknown because it is part of the NelmioSecurityBundle.

Should I remove it from the example and instead just refer to the documentation of the NelmioSecurityBundle?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's OK because you linked to the bundle in the previous paragraph ... but I'd add a comment in this code to explain that this function comes from that bundle:

.. code-block:: twig

    {# the csp_nonce() function is defined by the NelmioSecurityBundle #}
    {{ importmap('app', {'nonce': csp_nonce('script')}) }}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added the comment 👍 however, that doesn't solve the error reported by the "Code Blocks" workflow, so the build still fails.

@nicwortel nicwortel marked this pull request as ready for review May 6, 2024 19:03
@carsonbot carsonbot modified the milestones: 6.3, 6.4 May 6, 2024
javiereguiluz
javiereguiluz reviewed May 7, 2024
View reviewed changes
Copy link
Member

@javiereguiluz javiereguiluz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nic, thanks a lot for contributing these missing docs. I left some minor comments but you did a great job.

And I agree with you, AssetMapper is fantastic 😎

frontend/asset_mapper.rst

.. code-block:: html+twig

{{ importmap('app', {'nonce': csp_nonce('script')}) }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's OK because you linked to the bundle in the previous paragraph ... but I'd add a comment in this code to explain that this function comes from that bundle:

.. code-block:: twig

    {# the csp_nonce() function is defined by the NelmioSecurityBundle #}
    {{ importmap('app', {'nonce': csp_nonce('script')}) }}

@nicwortel
Copy link
Contributor Author

@javiereguiluz thanks, I have addressed your comments 👍

@OskarStark
Copy link
Contributor

Thank you Nic.

@OskarStark OskarStark merged commit 40803b6 into symfony:6.4 May 7, 2024
3 checks passed
@nicwortel nicwortel deleted the asset_mapper_csp branch May 8, 2024 10:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@javiereguiluz javiereguiluz javiereguiluz left review comments

@OskarStark OskarStark OskarStark approved these changes

Assignees
No one assigned
Labels
AssetMapper Status: Reviewed
Projects
None yet
Milestone
6.4
Development

Successfully merging this pull request may close these issues.
4 participants
@nicwortel @carsonbot @OskarStark @javiereguiluz