Contrib.social

Why SRI must not be used for page.js + how to load AddToAny with a CSP

Open on Drupal.org β†’
Created on 2 June 2023, almost 2 years ago
Updated 3 June 2023, almost 2 years ago

Problem/Motivation

We have a clinet that did a security auditory and one of the issues is to add SRI to external links

Steps to reproduce

Just add sri to the script

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

πŸ’¬ Support request
Status

Closed: works as designed

Version

1.0

Component

Code

Created by

πŸ‡ͺπŸ‡ΈSpain paucala

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @paucala
  • @paucala opened merge request.
  • Comment almost 2 years ago β†’
    πŸ‡ͺπŸ‡ΈSpain paucala
  • Issue was unassigned.
  • Status changed to Closed: works as designed almost 2 years ago
  • Comment almost 2 years ago β†’
    πŸ‡ΊπŸ‡ΈUnited States micropat

    Definitely do not use SRI on page.js β€” that evergreen file receives important updates and SRI will break it on the very next update.

    For site security AddToAny supports a strict content security policy (CSP) with nonces; however, nonces aren't currently straightforward to implement in Drupal ( csp module issue ✨ Allow script / style by nonce Postponed , seckit module issue ✨ Implement a "semi automatic" Nonce settings Needs work ), so it's a good idea to explicitly allow specific domains in .htaccess like:

    Header add Content-Security-Policy "default-src 'unsafe-inline' https://*.addtoany.com https://*.pinterest.com; img-src 'self' data:;"

    This explicitly allows domains such as https://*.addtoany.com (and https://*.pinterest.com if Pinterest is wanted, for example).

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024