Contrib.social

[D7] Convert drupalSettings from JavaScript to JSON, to allow for CSP in the future

Open on Drupal.org β†’
Created on 12 August 2016, over 8 years ago
Updated 23 November 2023, about 1 year ago

Problem/Motivation

#2510104: Convert drupalSettings from JavaScript to JSON, to allow for CSP in the future β†’ could potentially be backported to 7.x

Proposed resolution

Remaining tasks

Copy the last 7.x patch from the original 8.x issue, and continue.

User interface changes

API changes

Data model changes

πŸ“Œ Task
Status

Needs review

Version

7.0 ⚰️

Component
JavascriptΒ  β†’

Last updated 2 days ago

Created by

πŸ‡¬πŸ‡§United Kingdom catch

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 1 year ago β†’
    πŸ‡¬πŸ‡§United Kingdom kenorb
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 8.0 & MySQL 5.7
    last update about 1 year ago
    2,163 pass
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 8.1 & MySQL 5.7
    last update about 1 year ago
    2,163 pass
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 8.1 & MySQL 5.7
    last update about 1 year ago
    2,166 pass
  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cboyden

    Updated the patch from #33 to apply cleanly to the latest version.

  • Comment 9 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States DamienMcKenna NH, USA
  • Status changed to RTBC 8 months ago
  • Comment 8 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States dsnopek USA

    The patch on #45 looks good to me, and has been working fine on some production sites for a while.

  • First commit to issue fork.
  • Merge request !10492drupal-2783153-45.patch β†’ (Open) created by mcdruid
  • Comment 19 days ago β†’
    πŸ‡¬πŸ‡§United Kingdom mcdruid πŸ‡¬πŸ‡§πŸ‡ͺπŸ‡Ί

    We looked at getting this one into 7.103 but didn't manage to do so.

    I think this only makes sense if it makes absolutely no changes on a D7 site that does not enable the option.

    The complete lack of JS testing in D7 makes it particularly risky to introduce something like this.

    For example @poker10 spotted this straight away:

            'misc/drupal.js' => array(
          'data' => 'misc/drupal.js',
          'type' => 'file',
          'scope' => 'header',
          'group' => JS_LIBRARY,
          'every_page' => TRUE,
-         'weight' => -1,
+        'weight' => -2,
          'requires_jquery' => TRUE,

    That would affect all sites whether they implemented the new option or not.

    Perhaps that's no big deal, but with no automated testing it's hard to tell.. plus who knows what the consequences would be for real sites with lots of modules installed. Some may have carefully tweaked all of the relative weights.. possibly years ago.

    My acceptance criteria for this would be that if the new option is not enabled, absolutely nothing changes.

  • Pipeline finished with Failed
    19 days ago
    Total: 1070s
    #363203
  • Comment 18 days ago β†’
    πŸ‡¬πŸ‡§United Kingdom mcdruid πŸ‡¬πŸ‡§πŸ‡ͺπŸ‡Ί

    Converted drupal-2783153-45.patch to an MR.

    It does seem to cause one test to fail (not verified causation but seems like a strange coincidence if not):

    JavaScript 160 passes, 1 fail, 1 exception, and 10 debug messages

---------------------
---- JavaScriptTestCase ----
Status    Group      Filename          Line Function                            
--------------------------------------------------------------------------------
Exception Warning    locale.inc        1527 _locale_parse_js_file()            
    file_get_contents(misc/drupal-settings-loader.js): Failed to open stream: No
    such file or directory
Fail      Other      common.test       1693 JavaScriptTestCase->testJavaScriptA
    When "javascript_always_use_jquery" is FALSE: The front page of the site
    does not include Drupal settings loader.
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024