Symfony Profiler

<?php
namespace App\EventListener;
use Symfony\Component\HttpKernel\Event\ResponseEvent;
class RequestListener
{
private array $contentSecurityPolicy = [
'object-src' => '',
'script-src' => '',
'form-action' => '',
'frame-ancestors' => '',
'connect-src' => '',
'font-src' => '',
'frame-src' => '',
'img-src' => '',
'media-src' => '',
'style-src' => '',
];
public function onKernelResponse(ResponseEvent $event): void
{
if (!$event->isMainRequest()) {
return;
}
if ('test' !== $_ENV['APP_ENV']) {
$domains = str_replace(';', ' ', $_ENV['DOMAINS']);
foreach ($this->contentSecurityPolicy as $key => $value) {
$nameInEnv = strtoupper(str_replace('-', '_', $key));
$this->contentSecurityPolicy[$key] = "{$_ENV[$nameInEnv]} {$_ENV['RQST_CTXT_HOST']} {$domains}";
}
$event->getResponse()->headers->add([
'X-XSS-Protection' => '1; mode=block',
'X-Frame-Options' => 'DENY',
'X-Content-Type-Options' => 'nosniff',
'Content-Security-Policy' => implode('; ', $this->contentSecurityPolicy),
'Strict-Transport-Security' => 'max-age=63072000; includeSubDomains; preload;',
'Permissions-Policy' => 'camera=()',
'Referrer-Policy' => 'no-referrer-when-downgrade',
]);
} else {
$event->getResponse()->headers->add([
'X-XSS-Protection' => '1; mode=block',
'X-Frame-Options' => 'DENY',
'X-Content-Type-Options' => 'nosniff',
'Content-Security-Policy' => "object-src 'none'; script-src 'self' 'unsafe-inline' js-agent.newrelic.com code.jquery.com www.nutella.com static.addtoany.com www.google.com www.gstatic.com ; form-action 'self'; frame-ancestors 'self';",
'Strict-Transport-Security' => 'max-age=63072000; includeSubDomains; preload;',
]);
}
}
}

src/EventListener/RequestListener.php line 22