Add hashes if directive already has hash or nonce

Created on 22 December 2021, almost 3 years ago

Updated 31 July 2024, 4 months ago

Problem/Motivation

Currently if any directive already includes 'unsafe-inline', the module will not add a hash or nonce since it may block functionality.

// Don't make any modifications if closest enabled fallback uses
// 'unsafe-inline'.
if (in_array(Csp::POLICY_UNSAFE_INLINE, $fallbackValue)) {
  return;
}

If the directive also already includes a hash or nonce, however, the new values should be added.

Proposed resolution

When a directive includes 'unsafe-inline', only skip modifying the directive if it also does not contain a hash or nonce source.

🐛 Bug report

Status

Needs work

Version

1.0

Component

Code

Created by

🇨🇦Canada gapple

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Open in Jenkins → Open on Drupal.org →
Core: 9.5.x + Environment: PHP 7.4 & MySQL 8
last update about 1 year ago
7 pass
@gapple opened merge request.
Status changed to Needs work 4 months ago11:56pm 31 July 2024
Comment 4 months ago →
🇨🇦Canada gapple
This should use the helpers added by ✨ Add helper for safely appending nonce/hash sources Fixed

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024