0

I am currently using symfony with many packages of symfony ux, and my external scripts (such as font awesome or google fonts) are not loaded, i receive this error message : Content-Security-Policy : Les paramètres de la page ont empêché l’exécution d’un script intégré (script-src-elem) car il enfreint la directive suivante : « script-src 'self' »

Here is my composer.json :

{
    "type": "project",
    "license": "proprietary",
    "minimum-stability": "stable",
    "prefer-stable": true,
    "require": {
        "php": ">=8.2",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "api-platform/core": "^3.2",
        "doctrine/doctrine-bundle": "^2.11",
        "doctrine/doctrine-migrations-bundle": "^3.3",
        "doctrine/orm": "^2.17",
        "gocardless/gocardless-pro": "^5.9",
        "nelmio/cors-bundle": "*",
        "phpdocumentor/reflection-docblock": "^5.3",
        "phpstan/phpdoc-parser": "^1.25",
        "symfony/asset": "7.0.*",
        "symfony/asset-mapper": "7.0.*",
        "symfony/console": "7.0.*",
        "symfony/doctrine-messenger": "7.0.*",
        "symfony/dotenv": "7.0.*",
        "symfony/expression-language": "7.0.*",
        "symfony/flex": "^2",
        "symfony/form": "7.0.*",
        "symfony/framework-bundle": "7.0.*",
        "symfony/http-client": "7.0.*",
        "symfony/intl": "7.0.*",
        "symfony/mailer": "7.0.*",
        "symfony/mime": "7.0.*",
        "symfony/monolog-bundle": "^3.0",
        "symfony/notifier": "7.0.*",
        "symfony/process": "7.0.*",
        "symfony/property-access": "7.0.*",
        "symfony/property-info": "7.0.*",
        "symfony/runtime": "7.0.*",
        "symfony/security-bundle": "7.0.*",
        "symfony/serializer": "7.0.*",
        "symfony/stimulus-bundle": "^2.13",
        "symfony/string": "7.0.*",
        "symfony/translation": "7.0.*",
        "symfony/twig-bundle": "7.0.*",
        "symfony/ux-turbo": "^2.13",
        "symfony/validator": "7.0.*",
        "symfony/web-link": "7.0.*",
        "symfony/yaml": "7.0.*",
        "twig/extra-bundle": "^2.12|^3.0",
        "twig/twig": "^2.12|^3.0"
    },
    "config": {
        "allow-plugins": {
            "php-http/discovery": true,
            "symfony/flex": true,
            "symfony/runtime": true
        },
        "sort-packages": true
    },
    "autoload": {
        "psr-4": {
            "App\\": "src/"
        }
    },
    "autoload-dev": {
        "psr-4": {
            "App\\Tests\\": "tests/"
        }
    },
    "replace": {
        "symfony/polyfill-ctype": "*",
        "symfony/polyfill-iconv": "*",
        "symfony/polyfill-php72": "*",
        "symfony/polyfill-php73": "*",
        "symfony/polyfill-php74": "*",
        "symfony/polyfill-php80": "*",
        "symfony/polyfill-php81": "*",
        "symfony/polyfill-php82": "*"
    },
    "scripts": {
        "auto-scripts": {
            "cache:clear": "symfony-cmd",
            "assets:install %PUBLIC_DIR%": "symfony-cmd",
            "importmap:install": "symfony-cmd"
        },
        "post-install-cmd": [
            "@auto-scripts"
        ],
        "post-update-cmd": [
            "@auto-scripts"
        ]
    },
    "conflict": {
        "symfony/symfony": "*"
    },
    "extra": {
        "symfony": {
            "allow-contrib": false,
            "require": "7.0.*"
        }
    },
    "require-dev": {
        "phpunit/phpunit": "^9.5",
        "symfony/browser-kit": "7.0.*",
        "symfony/css-selector": "7.0.*",
        "symfony/debug-bundle": "7.0.*",
        "symfony/maker-bundle": "^1.0",
        "symfony/phpunit-bridge": "^7.0",
        "symfony/stopwatch": "7.0.*",
        "symfony/web-profiler-bundle": "7.0.*"
    }
}

I am not using nelmio security bundle, so why do I receive this message ?

I tried to modify my nelmio cors bundle without success.

Improve this question
1
  • Maybe it is a good idea to translate the error message to english. That way, more people can help you with this. Commented Aug 7, 2024 at 11:23

1 Answer 1

Reset to default
0

The error message translated is the following

Content-Security-Policy : The page settings have prevented the execution of an embedded script (script-src-elem) because it encounters the following directive: “script-src 'self'”.

In simple terms the CSP you have is preventing you from loading scripts from external domains.

When you see script-src 'self' in a CSP, it means that the page is only allowing JavaScript files to be loaded and executed if they are hosted on the same origin as the page, you will need to change your CSP for the external hosted scripts to load.

see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for more details

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.