Contrib.social

Missing style-src-attr unsafe-inline on Views edit page

Open on Drupal.org →
Created on 2 November 2021, over 3 years ago
Updated 6 September 2024, 7 months ago

Problem/Motivation

After enabling and configuring CSP module I'm getting following error in Console when editing Views e.g. /d927/web/admin/structure/views/view/content/edit/page_1
Don't know if I'm doing something wrong or ..
I'm trying to follow Basic CSP Policy recommended by OWASP https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_C...

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-attr 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

It is coming from jquery.min.js?v=3.6.0:2

Steps to reproduce

Clean installation of Drupal 9.2.7. Installation of csp module (tested both 8.x-1.15 and latest dev-1.x fc1d896).
CSP settings: Report Only - Disabled; Enforced - Enabled
Only one settings: default-src: self

Here is relevant part of the csp.settings

enforce:
  enable: true
  directives:
    default-src:
      base: self
  reporting:
    plugin: none

Content-Security-Policy headers when editing Views page:
default-src 'self'; script-src 'self' 'unsafe-inline'; script-src-attr 'self'; style-src 'self' 'unsafe-inline'; style-src-attr 'self'

Proposed resolution

With manually set
style-src-attr 'self' 'unsafe-inline';
Views page is fully working. I think this 'unsafe-inline' should be added automatically.

Thanks

🐛 Bug report
Status

Closed: cannot reproduce

Version

1.0

Component

Code

Created by

🇨🇿Czech Republic Bohus Ulrych Pilsen (Czechia)

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago
    🇨🇦Canada gapple

    It's unclear where the issue is coming from, if it's related to Views itself or a plugin from another module.

    A somewhat common issue is that page content loaded via AJAX (like Views does quite a bit), requires any policy exceptions be added to the original page. This causes issues for libraries like rich text editors if they apply inline attributes to their rendered textarea (or for their own interface).

  • Status changed to Closed: cannot reproduce 7 months ago
  • Comment 7 months ago
    🇨🇦Canada gapple
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024