Contrib.social

Extend length of src fields

Open on Drupal.org →
Created on 1 April 2021, about 4 years ago
Updated 6 September 2024, 7 months ago

Problem/Motivation

Nowadays we use a lot of different scripts, services and third parties. Even using wildcard can still not make enough room in 1024 field length, producing an error on trying to save if you entered more than that.
I suggest that those fields are doubled with capacity (not all fields will exceed length limit as web server would not be able to handle it, but that's on user side to make sure he/she takes care of too long header).

Steps to reproduce

Add more than 1024 characters input in one field.

Proposed resolution

Double field length.

In attach is a patch for it.

Feature request
Status

Needs review

Version

2.0

Component

Code

Created by

🇷🇸Serbia milovan

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 2 years ago
    🇷🇸Serbia levmyshkin Novi Sad, Serbia

    Thank you, this page is working fine for me: Drupal 9.4.

  • Status changed to RTBC about 2 years ago
  • Comment about 2 years ago
    🇷🇸Serbia levmyshkin Novi Sad, Serbia
  • Status changed to Needs review almost 2 years ago
  • Open in Jenkins → Open on Drupal.org →
    Core: 10.0.7 + Environment: PHP 7.3 & MySQL 5.7
    last update almost 2 years ago
    Composer error. Unable to continue.
  • Comment almost 2 years ago
    🇮🇳India er.garg.karan Chandigarh

    This patch worked great for me until I found a setting "CSRF whitelist" which has a max length of 255 and I wanted to add more domains.

    Contributing a patch for that.

  • Open in Jenkins → Open on Drupal.org →
    Core: 9.5.x + Environment: PHP 7.4 & MySQL 5.7
    last update almost 2 years ago
    32 pass
  • Comment 10 months ago
    🇷🇸Serbia miksha

    I needed to add around 3000 characters as I wanted to add `connect-src` for all google supported domains defined at https://www.google.com/supported_domains and in the end I opted to disable `connect-src` form field on seckit config page,

    /**
 * Implements hook_form_FORM_ID_alter().
 *
 * Check CspEventSubscriber.php.
 */
function your_module_form_seckit_settings_form_alter(array &$form, FormStateInterface $form_state, string $form_id) {
  if (isset($form['seckit_xss']['csp']['connect-src'])) {
    $form['seckit_xss']['csp']['connect-src']['#attributes']['disabled'] = 'disabled';
  }
}

    and implement onResponse event subscriber:

    
namespace Drupal\your_module\EventSubscriber;

use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\ResponseEvent;
use Symfony\Component\HttpKernel\KernelEvents;

/**
 * CSP Event Subscriber.
 */
class CspEventSubscriber implements EventSubscriberInterface {

  /**
   * Adds custom CSP headers.a
   */
  public function onResponse(ResponseEvent $event) {
    $response = $event->getResponse();
    $headers = $response->headers;

    // CSP connect-src directive entries.
    $connect_src = [
      '*.google.com', '*.google.ad', '*.google.ae', '*.google.com.af', '*.google.com.ag', '*.google.al', '*.google.am',
      '*.google.co.ao', '*.google.com.ar', '*.google.as', '*.google.at', '*.google.com.au', '*.google.az', '*.google.ba',
      '*.google.com.bd', '*.google.be', '*.google.bf', '*.google.bg', '*.google.com.bh', '*.google.bi', '*.google.bj',
      '*.google.com.bn', '*.google.com.bo', '*.google.com.br', '*.google.bs', '*.google.bt', '*.google.co.bw', '*.google.by',
      '*.google.com.bz', '*.google.ca', '*.google.cd', '*.google.cf', '*.google.cg', '*.google.ch', '*.google.ci',
      '*.google.co.ck', '*.google.cl', '*.google.cm', '*.google.cn', '*.google.com.co', '*.google.co.cr', '*.google.com.cu',
      '*.google.cv', '*.google.com.cy', '*.google.cz', '*.google.de', '*.google.dj', '*.google.dk', '*.google.dm',
      '*.google.com.do', '*.google.dz', '*.google.com.ec', '*.google.ee', '*.google.com.eg', '*.google.es', '*.google.com.et',
      '*.google.fi', '*.google.com.fj', '*.google.fm', '*.google.fr', '*.google.ga', '*.google.ge', '*.google.gg',
      '*.google.com.gh', '*.google.com.gi', '*.google.gl', '*.google.gm', '*.google.gr', '*.google.com.gt', '*.google.gy',
      '*.google.com.hk', '*.google.hn', '*.google.hr', '*.google.ht', '*.google.hu', '*.google.co.id', '*.google.ie',
      '*.google.co.il', '*.google.im', '*.google.co.in', '*.google.iq', '*.google.is', '*.google.it', '*.google.je',
      '*.google.com.jm', '*.google.jo', '*.google.co.jp', '*.google.co.ke', '*.google.com.kh', '*.google.ki', '*.google.kg',
      '*.google.co.kr', '*.google.com.kw', '*.google.kz', '*.google.la', '*.google.com.lb', '*.google.li', '*.google.lk',
      '*.google.co.ls', '*.google.lt', '*.google.lu', '*.google.lv', '*.google.com.ly', '*.google.co.ma', '*.google.md',
      '*.google.me', '*.google.mg', '*.google.mk', '*.google.ml', '*.google.com.mm', '*.google.mn', '*.google.com.mt',
      '*.google.mu', '*.google.mv', '*.google.mw', '*.google.com.mx', '*.google.com.my', '*.google.co.mz', '*.google.com.na',
      '*.google.com.ng', '*.google.com.ni', '*.google.ne', '*.google.nl', '*.google.no', '*.google.com.np', '*.google.nr',
      '*.google.nu', '*.google.co.nz', '*.google.com.om', '*.google.com.pa', '*.google.com.pe', '*.google.com.pg',
      '*.google.com.ph', '*.google.com.pk', '*.google.pl', '*.google.pn', '*.google.com.pr', '*.google.ps', '*.google.pt',
      '*.google.com.py', '*.google.com.qa', '*.google.ro', '*.google.ru', '*.google.rw', '*.google.com.sa', '*.google.com.sb',
      '*.google.sc', '*.google.se', '*.google.com.sg', '*.google.sh', '*.google.si', '*.google.sk', '*.google.com.sl',
      '*.google.sn', '*.google.so', '*.google.sm', '*.google.sr', '*.google.st', '*.google.com.sv', '*.google.td',
      '*.google.tg', '*.google.co.th', '*.google.com.tj', '*.google.tl', '*.google.tm', '*.google.tn', '*.google.to',
      '*.google.com.tr', '*.google.tt', '*.google.com.tw', '*.google.co.tz', '*.google.com.ua', '*.google.co.ug',
      '*.google.co.uk', '*.google.com.uy', '*.google.co.uz', '*.google.com.vc', '*.google.co.ve', '*.google.co.vi',
      '*.google.com.vn', '*.google.vu', '*.google.ws', '*.google.rs', '*.google.co.za', '*.google.co.zm', '*.google.co.zw',
      '*.google.cat', '*.staticflickr.com', '*.flickr.com', 'maps.google.com', 'analytics.google.com', '*.analytics.google.com',
    ];

    // Create the CSP directive.
    $connect_src_directive = "connect-src 'self' " . implode(' ', $connect_src);

    // Check if a Content-Security-Policy header already exists.
    if ($headers->has('Content-Security-Policy')) {
      // Get the existing CSP header.
      $existing_csp = $headers->get('Content-Security-Policy');

      // Append the new connect-src directive to the existing CSP header.
      $new_csp = $existing_csp . '; ' . $connect_src_directive;

      // Set the updated CSP header.
      $headers->set('Content-Security-Policy', $new_csp);
    }
    else {
      // Set the new CSP header if none exists.
      $headers->set('Content-Security-Policy', $connect_src_directive);
    }
  }

  /**
   * {@inheritdoc}
   */
  public static function getSubscribedEvents() {
    return [
      KernelEvents::RESPONSE => 'onResponse',
    ];
  }

}

    and you also of course need to add service entry:

    services:
  your_module.event_subscriber:
    class: Drupal\your_module\EventSubscriber\CspEventSubscriber
    tags:
      - { name: event_subscriber }

    Keep in mind that HTTP header max size for Apache server is 8190 bytes so you shouldn't make your HTTP header bigger than what HTTP server supports.

  • Comment 7 months ago
    🇬🇧United Kingdom dahousecat

    I've just installed 2.0.2 and I can see commit ff1433c4f36758359cbc6816bd940ffc203d7562 changed the src fields from textfields to textareas (yay), but also added: 

    '#attributes' => [
        'rows' => 1,
      ],

    to all the src fields.

    As a result of this I used to be able to see all the rules, as by default the textarea with patch #2 was 5 rows, however now I can only see the first row and have to manually extend all the fields.

    This patch fixes that by just removing the rows => 1 bit.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024