Comments (8)
So if you get this I suppose you added this to your routing.yml:
nelmio_security:
path: /nelmio/csp/report
defaults: { _controller: nelmio_security.csp_reporter_controller:indexAction }
methods: [POST]
Did you also configure the csp stuff in the bundle? Can you show your bundle config?
from nelmiosecuritybundle.
Correct, I have done those steps. Here's the relevant portion of my config.yml file:
# Nelmio Security Bundle Configuration
nelmio_security:
# signs/verifies all cookies
# signed_cookie:
# names: ['*']
# secret: secret # defaults to global %secret% parameter
# hash_algo: sha512
# encrypt all cookies
# encrypted_cookie:
# names: ['*']
# secret: secret
# algorithm: rijndael-256
# prevents framing of the entire site
clickjacking:
paths:
'^/.*': DENY
# prevents redirections outside the website's domain
external_redirects:
log: true
override: homepage
# prevents inline scripts, unsafe eval, external scripts/images/styles/frames, etc
csp:
report_uri: /nelmio/csp/report
report_only: false
default: [ self ]
frame: [ 'https://www.youtube.com' ]
script:
- self
- 'https://www.google-analytics.com'
- 'http://www.google-analytics.com'
# disables content type sniffing for script resources
content_type:
nosniff: true
# forced HTTPS handling, don't combine with flexible mode
# and make sure you have SSL working on your site before enabling this
# forced_ssl:
# hsts_max_age: 2592000 # 30 days
# hsts_subdomains: true
# flexible HTTPS handling, read the detailed config info
# and make sure you have SSL working on your site before enabling this
# flexible_ssl:
# cookie_name: auth
# unsecured_logout: false
And here is my routing.yml file:
nelmio_security:
path: /nelmio/csp/report
defaults: { _controller: nelmio_security.csp_reporter_controller:indexAction }
methods: [POST]
from nelmiosecuritybundle.
This controller was introduced in the master branch and not tagged yet, so unless your specifying with @dev
or ~1.4
you get the 1.3 version.
from nelmiosecuritybundle.
Okay, so it's not in the latest stable version then? How come it was included in the documentation?
from nelmiosecuritybundle.
@ahnatiw it's in the current dev version, which the master documentation on the github homepage reflects. I'll try to tag a release soon.
from nelmiosecuritybundle.
@ahnatiw 1.4.0 is out now with all the new CSP stuff, it should fix your issue.
from nelmiosecuritybundle.
That it did, Thanks again, @Seldaek.
I can't seem to find the "/nelmio/csp/report" file that the controller logs to. Where would I find that on my filesystem?
Edit
It's just logging to the app/logs/.log file, correct? Unless I specify "report_logger_service: monolog.logger.security" in the config? And if I do specify that, is there a separate "security.log" file that gets generated?
from nelmiosecuritybundle.
Only if you define a security logger that directs it's messages to a security.log file.
from nelmiosecuritybundle.
Related Issues (20)
- Can't use environment variables to enable/disable features HOT 2
- Problem with latest Symfony update and signed_cookie feature HOT 5
- Incompatible with Symfony's clearCookie() strategy HOT 1
- cspscript for encore_entry_script_tags and cspstyle for encore_entry_link_tags HOT 4
- Issue with CSP config HOT 2
- Remove "Server" header HOT 1
- Reusing nonce for Turbo Drive integration HOT 1
- Update the description of this GitHub repository HOT 2
- Update the default hashing algorithm used in signed cookies
- DirectiveSet::canNotBeFallbackedByDefault(): Argument #2 ($value) must be of type string, bool given
- Introduce `ExternalRedirectResponse` for more fine-grained redirection control
- When script-src is set to strict-dynamic, 2 nonces are listed in CSP header HOT 2
- CSP interferes with var-dumper HOT 1
- Nonce is empty unless dump using twig HOT 4
- [3.2.0] The report-uri directive has been deprecated HOT 2
- Incompatibility with twig 3.9 HOT 1
- Service dependency injection for controller action: Getting CSP nonce in controller HOT 7
- Unexpecting appearance of unsafe-inline on CSP HOT 4
- Add mechanism to modify directives during or after request handling
- Evaluate/update`PolicyManager`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nelmiosecuritybundle.