Only add header to relevant responses

Created on 7 November 2018, about 6 years ago

Updated 19 January 2024, 10 months ago

CSP adds headers to any response that triggers the KernelEvents::RESPONSE event, but Drupal may serve other content types that CSP is not relevant to.

Proposed Changes

Check the class / content-type of the response, and only add headers when appropriate

Response Classes to skip:
- \Symfony\Component\HttpFoundation\JsonResponse (\Drupal\Core\Ajax\AjaxResponse is a subclass)
- \Drupal\Core\Routing\LocalRedirectResponse
- \Drupal\rest\ResourceResponse, \Drupal\rest\ModifiedResourceResponse

Content Types to add header to:
- HTML
- XML
- SVG

📌 Task

Status

Needs work

Version

2.0

Component

Code

Created by

🇨🇦Canada gapple

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 10 months ago →
🇨🇦Canada gapple
Status changed to Needs review 7 days ago12:17pm 8 November 2024
Comment 7 days ago →
🇳🇱Netherlands pjotr van der horst
Here is a reroll of the patch #2

We ran into this issue in combination with 🐛 media_library_opener leads to massive GET requests that break varnish etc. Active while opening the media library and navigating through the pages

The error occurred because our nginx servers didn't accept long url's with a long CSP header. We could have adjusted the nginx configuration but not sending a CSP header in response to AJAX requests seems to be a better solution.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024