Report URI not working in other environments than PROD about nelmiosecuritybundle HOT 6 CLOSED

I just tried with fresh install of Symfony 3.0.6 and 2.8.6, but the behavior is still here, with both PHP5 & 7 :/

from nelmiosecuritybundle.

Additional to your normal bundle configuration, just try this in your config_dev.yml with this:

nelmio_security:
    csp:
        enforce:
            report-uri: /app_dev.php/nelmio/csp/report

But i would advice you instead of using the http://localhost/app.php/ or http://localhost/app_dev.php/ access, to configure different vhosts or just run application twice on different ports on time with env dev and one time with env prod like this:

php bin/console server:start -p8000 --env dev
php bin/console server:start -p8001 --env prod

So that both applications are now running independently and can be called by http://localhost:8001/ for prod and http://localhost:8000/ for dev

from nelmiosecuritybundle.

I'll give a try with the embedded web server, thx.

Btw, is there any reason why this bundle does not work with the app_dev.php ?

from nelmiosecuritybundle.

The reason is, that the report uri is an absolute location and not a route.

When you start your server and the default is the app.php which means production environment all requests are pointing to the production system. This was the reason why it may help to just point the reporting URL to another location if your app runs in dev mode.

But any way it's way more secure to just use separated runtimes.

from nelmiosecuritybundle.

You can use

nelmio_security:
    csp:
        enforce:
            report-uri: %router.request_context.base_url%/csp/report

It should solve your issue

from nelmiosecuritybundle.

I've updated the doc to mention this in 51deb40

from nelmiosecuritybundle.