Skip to content

[AssetMapper] CSP - Refused to load the script 'data:application/javascript,' #58416

New issue
New issue
Closed
Closed
[AssetMapper] CSP - Refused to load the script 'data:application/javascript,'#58416
Labels
AssetMapperBugStatus: Needs Review
@m-adamski

Description

@m-adamski
m-adamski
opened on Sep 30, 2024

Symfony version(s) affected

7.1.5

Description

The problem occurs when we have CSP configured in the project. I use NelmioSecurityBundle and script-src I allow only self, https://.googleapis.com and https://.openstreetmap.org.

In result, Asset Mapper generates HTML:

<link rel="stylesheet" href="/assets/css/application-392995c863db447b07c3c4ad0a158e16.css">
<script type="importmap" nonce="fyn9k5hl5935fS6FQJoRTg==" data-language="pl">
{
    "imports": {
        "application": "/assets/js/application-7019f0bc7533e1a3d5c655353a0c1302.js",
        "/assets/css/application.css": "data:application/javascript,"
    }
}
</script>
<!-- ES Module Shims: Import maps polyfill for modules browsers without import maps support -->
<script async src="https://ga.jspm.io/npm:es-module-shims@1.10.0/dist/es-module-shims.js" crossorigin="anonymous" integrity="sha384-ie1x72Xck445i0j4SlNJ5W5iGeL3Dpa0zD48MZopgWsjNB/lt60SuG1iduZGNnJn" nonce="fyn9k5hl5935fS6FQJoRTg==" data-language="pl"></script>
<link rel="modulepreload" href="/assets/js/application-7019f0bc7533e1a3d5c655353a0c1302.js">
<script type="module" nonce="fyn9k5hl5935fS6FQJoRTg==" data-language="pl">import 'application';</script>

Console error:
Refused to load the script 'data:application/javascript,' because it violates the following Content Security Policy directive: "script-src 'self' https://.googleapis.com https://.openstreetmap.org 'nonce-fyn9k5hl5935fS6FQJoRTg==' 'unsafe-inline' 'nonce-77915aef21c7c8ebe26e59118b2ab3be'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Is this line in imports object necessary? Link to CSS file is generated properly.

How to reproduce

nelmio_security.yaml

..
script-src:
  - 'self'
  - 'https://*.googleapis.com'
  - 'https://*.openstreetmap.org'
..

application.js

import "../css/application.css";

console.log('This log comes from assets/app.js - welcome to AssetMapper! 🎉');

base.html.twig

{% block importmap %}
  {{ importmap('application', {
    'nonce': csp_nonce('script'),
    'data-language': app.request.locale
  }) }}
{% endblock %}

Possible Solution

No response

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    AssetMapperBugStatus: Needs Review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions