Contrib.social

CSP headers are overflowing when in maintenance mode (throws error 502)

Open on Drupal.org →
Created on 23 November 2023, almost 2 years ago
Updated 26 May 2024, over 1 year ago

Problem/Motivation

I encountered difficulties when attempting to enable Drupal maintenance mode on our remote environments.

Drupal headers are impacting the rendering of this page. I've come across recommendations in the Drupal community suggesting an increase in the 'fastcgi_buffer_size', but this is not an option in our current hosting.

The header properties related to the overflow are related to CSP module, specially img-src Policy.
I've attempted to clear the headers with https://www.drupal.org/project/remove_http_headers , but unfortunately, it's not working.

Steps to reproduce

Enable CSP module and configure the enforced policy.
Add a large value within img-src Policy (in my case it contains 2400 bytes).
Put Drupal in maintenance mode (happens on remote hosting; local environments are fine due to the difference in fastcgi_buffer_size configs).
Error 502 will appear.
The file 'nginx_error.log' will log 'upstream sent too big header while reading response header from upstream, client.'

Feature request
Status

Closed: works as designed

Version

1.0

Component

Code

Created by

🇧🇷Brazil lucasrossi

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @lucasrossi
  • Comment almost 2 years ago
    🇧🇷Brazil lbernard07

    This patch checks if the status code is 503, in case it's true, it will not apply the flags and source directives.

  • Open in Jenkins → Open on Drupal.org →
    Core: 10.1.4 + Environment: PHP 8.2 & MySQL 8
    last update almost 2 years ago
    132 pass
  • Open in Jenkins → Open on Drupal.org →
    Core: 9.5.x + Environment: PHP 7.3 & MySQL 5.5
    last update almost 2 years ago
    Composer require failure
  • Open in Jenkins → Open on Drupal.org →
    Core: 10.1.x + Environment: PHP 8.2 & MySQL 8
    last update almost 2 years ago
    132 pass
  • Status changed to RTBC almost 2 years ago
  • Comment almost 2 years ago
    🇧🇷Brazil lucasrossi

    Patch #2 is working on Drupal 9.5.x (PHP 8.1).

  • Status changed to Needs work almost 2 years ago
  • Comment almost 2 years ago
    🇨🇦Canada gapple

    Since this sounds like an environment-specific issue (limited to a particular response code), I don't think it's something to be solved within CSP module. There's potential for configuring an alternate policy for circumstances like maintenance mode which could have a much shorter and more restrictive policy, but it would need to be configurable since other people's environments and needed policy will differ.

    The patch provided in #2 would omit things from config like 'self', but still allows other modules to alter the policy, which could potentially block necessary assets.

    My suggestion would be to implement a custom module with an event subscriber to alter the policy when needed for your environment and the particular response code.

  • Status changed to Closed: works as designed over 1 year ago
  • Comment over 1 year ago
    🇨🇦Canada gapple
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024