Hundreds of log entries: Uninitialized string offset: 0

In our code we dit something like this:
'style-src' => 'https://somedomain.com ' . $this->getInlineStyleSha(),

But when there was no return value from getInlineStyleSha(), the added directive is
'style-src' => 'https://cloudstatic.obi4wan.com https://fonts.googleapis.com '
It ends with a space. Apparently the space is converted to an empty array item in the module.

Please consider this solution: apply array_filter to strip the empty elements from the array in appendDirective...

This error is triggered for my environment when the extlink → module is installed, and CSP attempts to generate sources from the installed modules, however because extlink has an "external" library that's still relative to the Drupal installation i.e. /extlink/settings.js, rather than relative to the defining module.

The self::getHostFromUri() call returns an empty string, which is what triggers the error further down the process.

And as far as I can tell from reviewing core's LibraryDiscoverParser code, the library assets starting with a / may be flagged as external and still work as expected, but removing the external flag in the upstream module is ultimately the right approach to address this.

So options are:

1. We update the code so that it automatically skips "external" libraries with no valid hosts
2. Automatically switch empty external libraries to a "self" policy (not sure if necessary)
3. Mark as postponed/wont-fix and leave for the relevant upstream modules to address

I would personally opt for skipping empty hosts since those contrib modules aren't aware of CSP, and aren't opting into its integration. Thoughts welcome.

@codebymikey thanks for the investigation!

It looks like extlink should have the external type removed, or it won't work as expected if the Drupal docroot is in a folder - it currently hits the prior code block (L213-215) and skips over everything handling various internal cases (root relative, stream wrapper, extension relative, actually external but not specified as such...)

But this is easy enough to also address in CSP, so that incorrect configuration in other modules doesn't cause errors.

gapple → closed merge request !14

Looks like extlink added external to work around some issues with other modules expecting a file to exist for a dynamic script that's provided by a route: 🐛 settings.js missing Fixed . I'm not sure it's a common enough use case to warrant requiring checks for file presence or adding a new attribute to library files so that extlink can revert that change 😒.

I created new child issues and committed fixes related to:
- extlink: 🐛 PHP warning if library asset provided by route is tagged as external Fixed
- appending using strings with extra whitespace: 🐛 PHP warning if adding multiple sources in string with extra spaces Fixed

I'll set this issue back to "needs more info" for anyone to report any additional causes, or (hopefully) if the current fixes have resolved the issue for them.

Since it's been a few months without further reports, I'm going to close this issue.

Automatically closed - issue fixed for 2 weeks with no activity.