- Issue created by @penyaskito
- Status changed to Active
almost 2 years ago 8:51pm 7 February 2023 - Status changed to Needs review
almost 2 years ago 9:49pm 7 February 2023 - 🇪🇸Spain penyaskito Seville 💃, Spain 🇪🇸, UTC+2 🇪🇺
Attached patch with tests, similar to what was done in 7.x-1.x
- 🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
Adding credit from ✨ Extend length of feature policy field Closed: duplicate which I've closed as a duplicate.
- last update
over 1 year ago 34 pass - last update
over 1 year ago 34 pass - last update
over 1 year ago 34 pass - 🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
A couple of textfields had been missed, plus added a CSS library to match what we did in the D7 branch.
In the process of adding the CSS library, I think I've found that this library is defined incorrectly:
modules/contrib/seckit$ head -n3 seckit.libraries.yml seckit/listener: js: js/seckit.listener.js: {}... I don't think it should have the module name prepended to the library name. That's one for a follow-up issue though.
- 🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
🐛 seckit/listener library incorrectly defined Fixed for the JS listener library fix.
- last update
over 1 year ago Patch Failed to Apply - last update
over 1 year ago 34 pass - 🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
Fix for the JS library meant this patch needed the tiniest of re-rolls.
- last update
over 1 year ago 34 pass - Status changed to Fixed
over 1 year ago 10:18am 28 July 2023 - 🇨🇦Canada dylan donkersgoed London, Ontario
mcdruid → credited Dylan Donkersgoed → .
- 🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
Adding credit from ✨ Allow entering more content in CSP fields Closed: duplicate which I've closed as a dupe (hope it's not too late to add the credit).
- 🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
Adding credit from another duplicate 📌 Add textarea type to script-src field Closed: duplicate .
Automatically closed - issue fixed for 2 weeks with no activity.
- Status changed to Fixed
6 months ago 9:44am 14 May 2024 - 🇳🇱Netherlands Floris Vedder
I found that this patch can result in a 502 error due to a to large response header.
So use it with care.
To big header issue
When the response header is to large the server will return a 502 and will log something like: upstream sent too big header while reading response header from upstream, client
Possible solution:
Validation before saving as done on another platform.
https://really-simple-ssl.com/instructions/content-security-policy-maxim....
As stated they first check the impact of the content security policy configuration against the server configuration before saving.Combination with downloads:
When the configuration is just below the maximum it will work on normal pages but in our case resulted still in the `to big header` issue on downloads. Probably due to additional header info in a download like mime-type. Is the Content-Security-Policy really needed on a download? Otherwise the solution might be to not include it in the header in downloads.