- π¬π§United Kingdom somersoft
This updated patch is for 7.x-1.11 release.
- Status changed to Needs review
over 1 year ago 1:54pm 24 May 2023 - πΊπΈUnited States DamienMcKenna NH, USA
Thak you for the patches. Let's set the status "Needs review" to let people know there's something to review, and also trigger the testbot.
- last update
over 1 year ago 32 pass - last update
over 1 year ago 32 pass - π¬π§United Kingdom somersoft
Further review of the code indicated that more changes had to be done.
- last update
over 1 year ago 32 pass - last update
over 1 year ago Patch Failed to Apply - π¬π§United Kingdom somersoft
Corrected the mistake as the information was not being passed into the header.
- π¨π¦Canada djac
Patch #13 tests well for me in 7.x-1.11.
Configuration also exports successfully using Features. - last update
over 1 year ago 32 pass - π¨π¦Canada mvc MontrΓ©al, CA
Reroll for latest 7.x-1.x, using textareas per β¨ Text fields not big enough Fixed
- last update
over 1 year ago 32 pass - π¨π¦Canada mvc MontrΓ©al, CA
Oops, forgot the form validation hook - trying again
- π¬π§United Kingdom somersoft
Found that some browser will also report for script-src-attr and style-src-attr configuration.
For these changes for the 2.x branch see π¬ CSP: Directive script-src-elem violated with googletagmanager Needs work
- π¬π§United Kingdom somersoft
Revert which version as 2.x is in another related ticket.
- Merge request !44Resolve #3169402 "Directive style src elem violated" β (Open) created by DamienMcKenna
- πΊπΈUnited States DamienMcKenna NH, USA
I created a MR from patch #18, and tweaked the wording because the description of one field seemed incorrect.
- πΊπΈUnited States DamienMcKenna NH, USA
I've noticed that the logs are being flooded with this:
CSP: Directive style-src-elem violated.
Blocked URI: inline.I set style-src-elem to
'self' 'unsafe-inline' 'inline'
but the errors keep flooding in? - π¨π¦Canada gapple
@damienmckenna
Possibly - the full violation report should include anoriginal-policy
property that you can verify if clients are receiving the updated directive.
Including a hash, nonce, or using'strict-dynamic'
would also disable inline scripts, but it sounds like you're not using any of those.(
'inline'
isn't a valid directive source, but it should just be ignored).