Contrib.social

Remove inline scripts for CSP

Open on Drupal.org β†’
Created on 1 February 2023, over 1 year ago
Updated 15 February 2024, 4 months ago

Problem/Motivation

Similar to πŸ“Œ [D7] Convert drupalSettings from JavaScript to JSON, to allow for CSP in the future Needs review it would be good if we can remove inline JavaScript.
Primarily referring to:
<script>jQuery.migrateMute=true;jQuery.migrateTrace=false;</script>
Although inline scripts are used in a few other places, they are more special use case, whereas jQuery Migrate is used very often (permanently).

Error message:
Refused to execute inline script because it violates the following Content Security Policy directive: ***<snip>***. Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

Steps to reproduce

  1. Enable jQuery Migrate and CSP (Content-Security-Policy)
  2. Load any page and look at JavaScript errors and observe above error message

Proposed resolution

  1. Generate files and serve those instead (unless anyone has got any better ideas)

Remaining tasks

  1. Get a response from maintainer as to whether such a change would be accepted
  2. Do it

User interface changes

None.

API changes

None.

Data model changes

None.

✨ Feature request
Status

Needs work

Version

4.0

Component

Code

Created by

πŸ‡¬πŸ‡§United Kingdom MustangGB Coventry, United Kingdom

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @MustangGB
  • Status changed to Needs work 4 months ago
  • Comment 4 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom mcdruid πŸ‡¬πŸ‡§πŸ‡ͺπŸ‡Ί

    Sorry for the long delay.

    It'd be good to fix this; especially for jQuery Migrate which - as you mention - is likely to be used by a lot of the installs of this module.

    Writing out to a file sounds like it'd make sense.. presumably that'd typically go into an aggregated bundle.

    If the JS snippet is relatively static, could the module provide the file itself rather than generating an ephemeral one?

    Are there examples of other modules addressing this same issue?

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024