Contrib.social

Better CSP support for themes

Open on Drupal.org →
Created on 16 November 2023, over 1 year ago
Updated 26 May 2024, 10 months ago

Problem/Motivation

Themes aren't able to provide services, so are unable to respond to the csp.policy_alter event for dynamic policy alterations themselves: #2002606: Allow themes to provide services.yml

This prevents themes from being able to:
- Add 'unsafe-inline' to script or style directives if needed
- Selectively modify -elem or -attr directives
- Add additional sources to other directives (e.g. font-src)
- Add a nonce source for dynamically loaded or inserted scripts or styles Expose nonce for javascript libraries Needs review

As a workaround, they can be dependent on a companion module which would provide a service: #474684: Allow themes to declare dependencies on modules

Proposed resolution

Allow themes to provide sources for directives without requiring a module dependency where possible.

Remaining tasks

User interface changes

API changes

Data model changes

🌱 Plan
Status

Closed: outdated

Version

1.0

Component

Code

Created by

🇨🇦Canada gapple

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @gapple
  • Comment over 1 year ago
    🇨🇦Canada gapple

    Brainstorming some options:

    • Provide a service for declaring additional sources - any module or theme could define additional sources prior to the response / policy alter event. Those sources would be merged into the policy after CSP builds it from config and library definitions, but before the alter event is dispatched. This could have some limitations in cases where multiple modules need to collaborate (e.g. disabling a nonce if 'unsafe-inline' is already present in a directive)
    • Add a method to the csp.nonce service for flagging directives which should have a nonce source added (if possible). This would be accessible to themes, and simpler for modules than needing to implement a csp.policy_alter subscriber which adds the value from Nonce::getSource() to directives (and could handle the logic for cases like <code>'unsafe-inline' being required by something else).
    • Parse additional values from a new property on library definitions. This would make adding a font-src for CSS that loads fonts much simpler.
    • Use the render metadata system to bubble up additional CSP configuration from render elements.
  • Comment over 1 year ago
    🇨🇦Canada gapple
  • Comment over 1 year ago
    🇨🇦Canada gapple

    Another possibility:

    • Dispatch a hook for themes with ThemeManager::alter();.
  • Comment over 1 year ago
    🇧🇪Belgium dieterholvoet Brussels

    I think adding a hook would cover the most bases, but some of these other propositions would also be a good idea DX-wise.

  • Status changed to Closed: outdated 10 months ago
  • Comment 10 months ago
    🇨🇦Canada gapple

    I've created these separate issues:
    Allow CSP to be added by render elements Needs review
    Enable specifying additional directives in library definitions Active

    and with the theme hook already in 1.24, I think themes will be well optioned 🙂

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024