Contrib.social

Don't recommend CSP 'unsafe-eval'

Open on Drupal.org β†’
Created on 11 December 2018, almost 6 years ago
Updated 24 July 2024, 4 months ago

hook_requirements currently recommends a CSP policy default-src https: data: \'unsafe-inline\' \'unsafe-eval\', which will provide little benefit (little more than http urls will be blocked).

- 'unsafe-eval' is not required by core, and should not be generally required by modern JavaScript.
- data: should not be enabled unless required, and should probably only be defined on a more specific directive (e.g. img-src)
- 'unsafe-inline' is currently required for script-src by CKEditor 4 in core ( #2789139: [upstream] CSP requires 'unsafe-inline' because of CKEditor 4 β†’ ).
- An enforced CSP policy should include reporting directives (report-uri and report-to) so that policy violations can be monitored.

Ideally directives should start with 'self', and only add additional domains as required.

πŸ“Œ Task
Status

Fixed

Version

3.0

Component

Code

Created by

πŸ‡¨πŸ‡¦Canada gapple

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 5 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States minnur San Francisco
  • Status changed to Active 4 months ago
  • Comment 4 months ago β†’
    πŸ‡¨πŸ‡¦Canada gapple

    as of the 3.0.2 release, the status message:
    - Still includes 'unsafe-eval' 😞
    - * allows any HTTP(S) scheme or domain, so also including https: is redundant.

    Recommending default-src * data: 'unsafe-inline' 'unsafe-eval'; is little (if any) better than not specifying a Content Security Policy.

    ----

    The default policy I have suggested for core to adopt in πŸ“Œ Add a default CSP and clickjacking defence and minimal API for CSP to core Active is script-src * 'unsafe-inline'; object-src 'none'; frame-ancestors 'self', which blocks 'unsafe-eval' and other domains from being able to load pages in an iframe.

    Rather than including a specific policy in the status message, I would recommend including a link to documentation or a guide on getting started with CSP, since individual site's needs will vary.

  • Status changed to Fixed 4 months ago
  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States minnur San Francisco

    Makes sense. I removed recommendation from the status page.

  • Comment 4 months ago β†’
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024