Contrib.social

Add CSP entries on a per page basis

Open on Drupal.org →
Created on 3 April 2024, about 1 year ago
Updated 4 July 2024, 9 months ago

Problem/Motivation

In many cases certain CSP entries are only needed by individual pages. But at the moment we have to allow sources globally on all requests. A flexible approach similar to the metatag module would be great to have.

Proposed resolution

Add a field type similar to the metatag module that allows extending the global CSP rules on a per page basis

Feature request
Status

Closed: won't fix

Version

2.0

Component

Code

Created by

miiimooo Europe

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @miiimooo
  • Comment about 1 year ago
    🇨🇦Canada gapple

    Do you have a more concrete example of where this would be needed, and the policy changes aren't connected to a library or other information available from the response object during the policy alter event?
    🌱 Better CSP support for themes Active has some other ideas for how policies could be granularly added from page components, like providing values for additional directives in library definitions, or bubbling up data from render arrays.

    Adding CSP overrides to entities through the UI would also have user permission concerns, since it would potentially allow something like permitting script-src 'unsafe-inline' alongside an XSS vulnerability on the corresponding page.

  • Comment 12 months ago
    miiimooo Europe

    Consider a case where there is a lot of legacy content that has embedded JS and that you add CSP to in order to improve security.

    In this case, you currently have to allow things like `script-src 'unsafe-inline'` globally, and other things like JS libraries that are loaded from CDNs for instance.

    If it was possible to override this on a per-page basis, the security situation would be much better

  • Comment 12 months ago
    🇨🇦Canada gapple

    My own approach would be to have a field on legacy content that would enable the relevant CSP changes but have the values set elsewhere (or hard coded in a custom policy alter listener), assuming that legacy pages have a common set of requirements.

    I'd be open to working on changes like bubbling up metadata so that overrides could be better targeted to only apply when relevant content is rendered, but I won't be working on adding a full configuration form to entities myself.

  • Status changed to Closed: won't fix 9 months ago
  • Comment 9 months ago
    🇨🇦Canada gapple

    I did quite a bit of work on a merge request for Provides a filter to add nonce attribute to inline scripts. Needs work to go into a future 2.x release, but some of it will be split out to resolve Allow CSP to be added by render elements Needs review first.

    That will enable attaching directive sources to renderable elements, so they're only added to a page's policy when needed. A pre-render hook could apply sources for the necessary directives as needed.
    The filter could also enable legacy content that requires 'unsafe-inline', while being restricted by user permissions on the text format to keep unprivileged users from adding new inline elements.

    A configuration form on entities, like the metatag module has, is out of scope of this module but should be much easier for another module to handle once the issue for attaching values to render elements is resolved.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024