- Issue created by @dieterholvoet
- Status changed to Postponed
over 1 year ago 3:48pm 6 November 2023 - 🇧🇪Belgium dieterholvoet Brussels
Setting to Postponed as long as ✨ Expose nonce for javascript libraries Needs review is not merged/released.
- Merge request !331Set the nonce attribute on styles added in accent.js → (Open) created by dieterholvoet
- 🇨🇦Canada gapple
Something I would suggest is adding a
conflict(and possibly arequire-devconstraint, though not strictly necessary without any relevant tests) to Gin's composer.json, so that there aren't errors if someone has an older version of CSP before thecsp.nonceservice was available (and probably for the upcoming version where adding the nonce todrupalSettingsis fixed). - 🇨🇦Canada gapple
I've got a helper class/method for adding nonces that I think is ready for merging to the CSP module: ✨ Add helper for safely appending nonce/hash sources Fixed
Something I want to check on, is that gin is currently still supporting core
^9 | ^10while csp dev is currently dropping support for D9. Is it worth it for csp to include the new feature in a D9 compatible release to avoid upgrade conflicts for sites, or will gin be dropping D9 support for new releases soon as well? - Status changed to Needs work
10 months ago 9:13am 13 May 2024 - 🇧🇪Belgium dieterholvoet Brussels
@gapple @saschaeggi confirmed in Slack that Gin will continue supporting D9 for a while.
- 🇧🇪Belgium dieterholvoet Brussels
@gapple I noticed something: in the MR of this issue Gin adds a nonce for
style-src, but this means that the site now can't enableunsafe-inlineanymore. This message appears in the console when you try to do that:Ignoring “'unsafe-inline'” within style-src: nonce-source or hash-source specified
It looks like you fixed this in ✨ Add helper for safely appending nonce/hash sources Fixed , but since you dropped support for Drupal 9 there won't be a way to fix this in Gin for a while. Is re-adding support for Drupal 9 something you would consider? Is there a specific reason why you dropped support?
- 🇨🇦Canada gapple
Drupal 9 is no longer receiving security support, and there's some incompatibilities that don't allow supporting both Drupal 9 and 11 in the same release.
I did leave some space in the 1.x version numbering though, and google_tag.module is also still supporting Drupal 9 on their dev branch & would benefit from the same helper, so it's something I could backport to a D9-compatible release after I finish getting a 2.0.0 release out.
- 🇨🇦Canada gapple
I've created a 8.x-1.25 release → that's compatible with D9 and contains the helpers.
I've updated the merge request for Google Tag, which can be referenced for using the service: ✨ Support Content Security Policy nonce Active
The conflict rule to get a release with the helper service is
"conflict": { "drupal/csp": "<1.25 || >=1.30 <1.32" },