Skip report-uri processing if value is empty

Created on 19 January 2020, almost 5 years ago

Updated 3 February 2023, almost 2 years ago

We have done a lot of customization to our Content Security Policy, and no longer want to write to "/report-csp-violation" and watchdog unless it's for debugging purposes. It's adding too many unnecessary http requests.

Also, report-uri is now deprecated, and should be optional: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Securi...

However, the way the default settings work for Security Kit, even if report-uri is given an empty value, it still replaces it with SECKIT_CSP_REPORT_URL when running. This is similar to the issue posted here for 8.x-1.x: https://www.drupal.org/project/seckit/issues/3046117 → (allow CSP report-uri to be disabled more easily).

I've written a patch that does the following:

2) Break out of _seckit_csp_report if report-uri is empty.

3) Do not override a non-empty value for report-uri in _seckit_get_options.

Please review the attached, thank you.

📌 Task

Status

Fixed

Version

1.0

Component

Code

Created by

🇺🇸United States ron_s

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment almost 2 years ago →
🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
Comment almost 2 years ago →
System Message

mcdruid → committed 6fa3e51e on 7.x-1.x authored by byronveale →
Issue #3107303 by rpayanm, cboyden, ron_s, byronveale, jweowu, mcdruid,...
Status changed to Fixed almost 2 years ago10:06am 3 February 2023
Comment almost 2 years ago →
🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
Thanks everyone - it'd be great to get a release out including this, as /report-csp-violation can be quite a foot-gun on some sites.
Comment almost 2 years ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024