Enable conditional/alternate directive values

Open on Drupal.org →

Created on 2 November 2023, about 1 year ago

Updated 15 May 2024, 6 months ago

Problem/Motivation

Some modules may want to authorize assets with a nonce, but will need to fall back to allow by domains if another module requires 'unsafe-inline'.

e.g. google_tag ✨ Support Content Security Policy Needs review
- If no other module requires 'unsafe-inline', only a nonce is added to script-src. The nonce is added to the dynamically inserted script tag and any additional scripts that tag manager includes.
- If another module requires 'unsafe-inline', only the tag manager domain is added to script-src. Additional third-party domains will need to be added to configuration for inclusion (CSP module will add them to all requests, Google Tag could add them to the conditional domains so they are not added alongside a nonce).

Proposed resolution

Option A: Provide a new Csp Policy object that allows specifying domains that are not required if a nonce (or hash) is included and used for the corresponding directive.
The object could be a wrapper for a basic Csp object, or be created by copying the values from an existing policy (by passing the existing object to a static create method).

The class constructor or creation method should check the type of the original policy to determine if it needs to wrap/copy or can just return the original object.

Option B: Provide additional methods on the current Csp class for specifying conditional sources for directives.

Remaining tasks

User interface changes

N/A

API changes

Data model changes

N/A

✨ Feature request

Status

Active

Version

2.0

Component

Code

Created by

🇨🇦Canada gapple

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @gapple
Comment about 1 year ago →
🇨🇦Canada gapple
Comment 10 months ago →
🇨🇦Canada gapple
Comment 7 months ago →
🇨🇦Canada gapple
✨ Add helper for safely appending nonce/hash sources Fixed will help modules that want to use a nonce or need 'unsafe-inline' to do so properly, but is order dependent:

If 'unsafe-inline' is required it needs to be added to the policy early in the Alter event

If a nonce or hash is added, it needs to be done later in the Alter event

Otherwise fallback values (other than 'unsafe-inline') for the features that use a hash or nonce won't be present in the directive as necessary, and they could be blocked by the policy.

Having a way to collect all alternates and only resolve them when the final policy is being built will make it so that the calling order is not relevant, and developers are less likely to encounter issues if they're not aware of the need for proper ordering of policy modifications.
Comment 6 months ago →
🇦🇺Australia dpi Perth, Australia
Related work @ ✨ Allow CSP to be added by render elements Needs review

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024