- Issue created by @gapple
- 🇨🇦Canada gapple
Now also included is
PolicyHelper::requireUnsafeInline(), which will apply to the necessary subdirective and fallback, but ensure the other subdirective doesn't fall back (if it does not yet have a value).It will remove any nonce or hash so that
'unsafe-inline'applies - this could cause problems if called after another module adds a nonce or hash that would require a non-'unsafe-inline'fallback, so it should be called in an alter subscriber that's prioritized to execute earlier than others. - Status changed to Needs review
3 months ago 7:19pm 3 April 2024 - 🇨🇦Canada gapple
I altered the parameter order so that a fallback value is always required, and added a note on the method docblock about properly calling
requireUnsafeInline()early. - 🇨🇦Canada gapple
Noticed some extra cases to test:
- if appending a new nonce or hash and the directive already includes a nonce, hash, or strict-dynamic (which disable 'unsafe-inline'), then the value should be appended (and not the fallback).
- if requiring 'unsafe-inline' and the directive includes 'unsafe-hashes'Some cleanup is possible with 'unsafe-hashes':
- if 'unsafe-hashes' isn't present on an attribute directive (e.g. it was copied from the base directive), any hashes can be removed since they're not effective (assume they correspond to permitted hashes of elements).
- remove 'unsafe-hashes' from an element directive. - Status changed to Fixed
about 2 months ago 6:27am 10 May 2024 Automatically closed - issue fixed for 2 weeks with no activity.