Ability to override (and disable) hash

[drzraf]

In config/packages/dev/nelmio_security.yaml I'm trying to override hash (which keeps me from using unsafe-inline on my dev environment where I test and have some inlined event handlers).
Thus I use

nelmio_security:
    csp:
        hash: {}

(and other similar syntax).

Still, no way to disable it.
Worst, since {% cspscript %} are in the templates, even dropping hash from the main config/packages/nelmio_security.yaml is not enough (as it keeps sending sha256-* to the browser).

I think computeForScript should take the configuration into consideration.

[sstok]

The {} is considered empty, and will use the default configuration. It's not possible to disable this configuration (which would be false).

Disabling this for CSP would actually defeat the purpose of CSP.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src maybe the 'unsafe-hashes' option can help here.

[drzraf]

I will try 'unsafe-hashes' but my purpose was exactly that: Disabling CSP (for my -dev environment) without having to change my markup.

[drzraf]

https://bugzilla.mozilla.org/show_bug.cgi?id=1343950 (Not supported by FF)

(Overriding hash would be really useful)