Symfony version(s) affected

6.1.4

Description

When upgrading from 6.1.3 to 6.1.4 the exception pages do not remove the Content-Security-Policy anymore, which leads to all styles/scripts failing to be executed if a restrictive CSP is set.

How to reproduce

Setting a Content-Security-Policy on like:

Content-Security-Policy: script-src 'self';  style-src 'self'; img-src 'self' data:

And then open a page in a Symfony project in development/debug mode where an exception is thrown.

Possible Solution

As far as I can tell, the CSP should be removed in the HttpKernel ErrorListener (https://github.com/symfony/symfony/blob/6.1/src/Symfony/Component/HttpKernel/EventListener/ErrorListener.php) in removeCspHeader, which is a response event listener. In my project with 6.1.4 removeCspHeader is called before onKernelException, yet removeCspHeader relies on an attribute being set in onKernelException to actually remove the CSP header, so the order in which these are called seems to be wrong with 6.1.4.

After more investigation, I found out that in 6.1.3 the removeCspHeader listener is called twice (again at the very end) and in 6.1.4 it is only called once, so the order has not changed, but one execution is now not happening. See my next comment for the comparisons of event listener execution.

Additional Context

No response