report-uri always returns 404

Question

report-uri always returns 404

infomaniac50 opened this issue 7 years ago · comments

I can't seem to get the report-uri feature to work. I have made an demo for this issue. https://github.com/infomaniac50/nelmio-404. If you need anything else let me know.

These tools are installed globally:

Composer
GNU Make (Not a hard requirement but it makes life easier)
Yarn - Used with Symfony Encore dev-server (https://yarnpkg.com/)
docker (Only required if you need the User entity)
docker-compose (Only required if you need the User entity)

To setup the clone:

cp www/.env.dist www/.env
make
bin/dev-server.sh

Browse http://127.0.0.1:8000 and observe the debug console.

Chrome says something like:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' * 'unsafe-inline' 'nonce-a30f973b26b60d57fb5392d734ac710b'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
POST http://localhost:8000/nelmio/csp/report 404 (Not Found)
```

The first line is for this demo and the second line I don't know.

Sebastiaan Stok · Answer 1 · Sun Feb 18 2018 19:57:15 GMT+0800 (China Standard Time)

The routes are not defined in your application, add this to config/routes.yaml

nelmio_security:
    path:     /nelmio/csp/report
    defaults: { _controller: nelmio_security.csp_reporter_controller:indexAction }
    methods:  [POST]

I guess the Symfony Flex Recipe should be updated 🤔 but I am not sure as this feature is optional.

Derek Chafin · Answer 2 · Tue Feb 20 2018 06:48:36 GMT+0800 (China Standard Time)

I probably tried adding the route at some point and must have forgot to clear the cache.

Derek Chafin · Answer 3 · Tue Feb 20 2018 10:20:41 GMT+0800 (China Standard Time)

I guess the Symfony Flex Recipe should be updated thinking but I am not sure as this feature is optional.

I prefer to keep the console as clean as possible. If the default setup throws errors without it, the route should probably be in the recipe. Library consumers can restore their configs from git if they don't like it.

Also once it gets configured by Symfony it won't run again unless the package is removed or something happens to vendor/ and symfony.lock.

Sebastiaan Stok · Answer 4 · Tue Feb 20 2018 18:12:41 GMT+0800 (China Standard Time)

👍 for updating the Symfony Flex recipe. https://github.com/symfony/recipes/tree/master/nelmio/security-bundle

Philippe Gamache · Answer 5 · Tue Mar 12 2019 22:43:45 GMT+0800 (China Standard Time)

This should be in an optional bundle.