src/EventSubscriber/ContentSecurityPolicySubscriber.php line 18

Open in your IDE?
  1. <?php
  3. namespace App\EventSubscriber;
  5. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  6. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  7. use Symfony\Component\HttpKernel\KernelEvents;
  9. class ContentSecurityPolicySubscriber implements EventSubscriberInterface
  10. {
  11.     public static function getSubscribedEvents(): array
  12.     {
  13.         return [
  14.             KernelEvents::RESPONSE => 'onKernelResponse',
  15.         ];
  16.     }
  18.     public function onKernelResponse(ResponseEvent $event): void
  19.     {
  20.         if (!$event->isMainRequest()) {
  21.             return;
  22.         }
  24.         $response $event->getResponse();
  25.         
  26.         // Ustaw własny CSP z 'unsafe-eval' dla script-src
  27.         $response->headers->set(
  28.             'Content-Security-Policy',
  29.             "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:;"
  30.         );
  31.     }
  32. }