Contrib.social

default-src has wrong description

Open on Drupal.org →
Created on 20 January 2021, over 4 years ago
Updated 28 July 2023, about 2 years ago

Problem/Motivation

The comment under the "default-src" field at /admin/config/system/seckit is wrong / misleading.
It says:
> Specify security policy for all types of content, which are not specified further (frame-ancestors excepted). Default is 'self'.

But its default is not 'self'. Its default value is empty, meaning the "default-src" definition is not present in the generated Content-Security-Policy header.

Steps to reproduce

1) configure the secktit module

Go to /admin/config/system/seckit
Configure the "Content Security Policy" section under "Cross-site Scripting"
Send HTTP response header - enable
You can see the "default-src" field has empty value (after the fresh module installation)
Verify the "report-uri" field has the default "/report-csp-violation" value.
Save configuration.

2) observe the content security policy header:

for example, using curl and a cache buster: 

$ curl -sI http://my-d8.site/?ab1 | grep Content-Security-Policy
Content-Security-Policy: report-uri /report-csp-violation

conclusion: The default value was empty and the "default-src" directive is not present in the header.

3) reconfigure the seckit module

Set the "default-src" to 'self' and save.

4) Observe the header

$ curl -sI http://my-d8.site/?ab2 | grep Content-Security-Policy
Content-Security-Policy: default-src 'self'; report-uri /report-csp-violation

conclusion: after *explicitly* setting the value of "default-src" to 'self', this made it to the header.

Proposed resolution

Change the comment under the field
from: "Default is 'self'."
to: "Default is empty, meaning the default-src directive won't be present in the generated header."

Remaining tasks

Find the wrong comment in the module code. Create a patch.

User interface changes

Changed user interface text

API changes

N/A

Data model changes

N/A

🐛 Bug report
Status

Needs work

Version

2.0

Component

Documentation

Created by

🇦🇺Australia marji Sydney

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 2 years ago
    🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺

    re. #4 and #5 yes, the description is the same in the D7 branch but the default is correctly applied to match the description.

    https://git.drupalcode.org/project/seckit/-/blob/7.x-1.12/seckit.module#...

    Let's fix 2.x rather than changing the description to match the bug.

    https://git.drupalcode.org/project/seckit/-/blob/2.0.1/config/install/se...

  • First commit to issue fork.
  • Merge request !163193697: Added default value for default-src attribute. → (Open) created by Unnamed author
  • Open in Jenkins → Open on Drupal.org →
    Core: 10.0.7 + Environment: PHP 8.2 & MySQL 8
    last update about 2 years ago
    34 pass
  • Status changed to Needs review about 2 years ago
  • Comment about 2 years ago
    🇮🇳India bharath-kondeti Hyderabad

    Addressed #10 and raised a PR. Please review

  • Status changed to Needs work about 2 years ago
  • Comment about 2 years ago
    🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺

    Thanks. However, a clean install of the module still seems to have an empty value for default-src:

    $ drush cget seckit.settings

_core:
  default_config_hash: **SNIP**
seckit_xss:
  csp:
    checkbox: false
    vendor-prefix:
      x: false
      webkit: false
    report-only: false
    default-src: ''   <====
    script-src: ''
    object-src: ''

..snip..

    The same thing shows up in the admin UI, as we'd expect.

    I'm not sure why yet, but just adding the default to config/install/seckit.settings.yml doesn't seem to be enough to fix this.

  • First commit to issue fork.
  • Pipeline finished with Success
    6 months ago
    Total: 235s
    #436937
  • Comment 6 months ago
    🇬🇧United Kingdom the_g_bomb

    drush en seckit using this latest patch and seckit: 2.0.3 or seckit dev-2.x seems to work ok for me when you view the admin form.

      - Installing drupal/seckit (dev-2.x f15d470): Cloning f15d470265 from cache
  - Applying patches for drupal/seckit
    https://git.drupalcode.org/project/seckit/-/merge_requests/16.diff (3193697: default-src has wrong description)


    And also when running:

     % drush cget seckit.settings
_core:
  default_config_hash: **SNIP**
seckit_xss:
  csp:
    checkbox: false
    vendor-prefix:
      x: false
      webkit: false
    report-only: false
    default-src: "'self'"
    script-src: ''
    object-src: ''
..snip..
  • Comment 6 months ago
    🇬🇧United Kingdom the_g_bomb
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024