Deprecate / Remove Content Security Policy configuration in favour of Content Security Policy module

Created on 2 June 2018, almost 7 years ago

Updated 7 February 2023, over 2 years ago

The Content Security Policy module ( https://www.drupal.org/project/csp → ) partially automates creating a content-security-policy header by integrating with Drupal 8's libraries system, addresses some of the current issues with Security Kit's CSP functionality, and contains additional features that I hope are worthy of succeeding the CSP implementation provided by Security Kit:
- Implements all directives defined in CSP level 3
- Able to send separate enforced and report-only policies
- Provides a more granular configuration schema and administrative form
- The administrative form performs validation on directive values
- Policies are internally represented as objects, and will be alterable by other modules in the future

🌱 Plan

Status

Active

Version

1.0

Component

Code

Created by

🇨🇦Canada gapple

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 2 years ago →
🇯🇵Japan ptmkenny
I've been happily using the CSP module and I second this approach. Using CSP for the content security policy would make it easier to use these modules side by side.

There's also the Permissions Policy → module, which could be recommended in favor of the obsolete "Feature Policy" config of this module. (though that's a separate issue)
Comment over 2 years ago →
🇦🇺Australia Feng-Shui
I've just made this switch, the CSP module provides a couple of missing directives that are only possible with patches at the moment. Also being able to run some in reporting and some in blocking is great. Based on the number of CSP related issues in the issue queue, I think this would be a good move.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024