Contrib.social

Need to exclude admin path from applying the policies

Open on Drupal.org →
Created on 30 April 2024, 11 months ago

Hello,

I am using latest Drupal 10 admin backend with Claro, Ckeditor 5, Admin toolbar, and some other. All are latest versions. I found that if i turn on Seckit the backend will be completely broken as many inline styles and scripts generated by those backend core / contrib modules no longer working.

Please provide a checkbox in /admin/config/system/seckit where we can check to exclude Seckit from applying prolicies in backend (admin paths). This could be a great option.

Thank you!

Feature request
Status

Active

Version

2.0

Component

Code

Created by

🇻🇳Vietnam tm01xx

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @tm01xx
  • Comment 5 months ago
    🇳🇱Netherlands groendijk

    Maybe consider not only look at paths but somewhere you can define roles in which case other rules are applied. Most easy fix would be to just add unsafe inline when a user role is in the defined roles.

  • Comment 5 months ago
    🇳🇿New Zealand jweowu

    You can use hook_seckit_options_alter() to modify the settings however you wish based on any arbitrary criteria, certainly including "this is an admin path". For the Drupal 8+ versions, you'll need Provide hook_seckit_options_alter() D8 Needs review to provide the hook.

  • Comment 5 months ago
    🇳🇱Netherlands groendijk

    Nice, Thanks @jweowu! Think this issue can be closed now? Agree @tm01xx?

  • First commit to issue fork.
  • Comment about 1 month ago
    🇨🇦Canada gurpreet_chahal

    We had a similar requirement at our agency. I've added the following patch and it works to ignore /admin routes.
    Although, I believe it's not an ideal solution to ignore /admin paths from being ignored from CSP checks, but since one might be dealing with multiple modules and tons on inline scripts, it would still act as a shortcut/hack to ignore the CSP violations for admin.

    diff --git a/config/install/seckit.settings.yml b/config/install/seckit.settings.yml
index 89278fb8d..9628b99a0 100644
--- a/config/install/seckit.settings.yml
+++ b/config/install/seckit.settings.yml
@@ -52,3 +52,4 @@ seckit_various:
   referrer_policy: FALSE
   referrer_policy_policy: 'no-referrer-when-downgrade'
   disable_autocomplete: FALSE
+  csp_disable_for_authenticated_users: FALSE
diff --git a/config/schema/seckit.schema.yml b/config/schema/seckit.schema.yml
index a51f2163b..3e27e53f7 100644
--- a/config/schema/seckit.schema.yml
+++ b/config/schema/seckit.schema.yml
@@ -177,3 +177,7 @@ seckit.settings:
         disable_autocomplete:
           type: boolean
           label: 'Disable autocomplete'
+        csp_disable_for_authenticated_users:
+          type: boolean
+          label: 'Disable CSP for Authenticated users'
+
diff --git a/src/EventSubscriber/SecKitEventSubscriber.php b/src/EventSubscriber/SecKitEventSubscriber.php
index 72ef923f5..8fe253bcc 100644
--- a/src/EventSubscriber/SecKitEventSubscriber.php
+++ b/src/EventSubscriber/SecKitEventSubscriber.php
@@ -214,6 +214,7 @@ public function seckitCsp() {
     $csp_report_uri = $this->config->get('seckit_xss.csp.report-uri');
     $csp_upgrade_req = $this->config->get('seckit_xss.csp.upgrade-req');
     $add_nonce = $this->config->get('seckit_xss.csp.nonce');
+    $csp_disable_for_authenticated_users = $this->config->get('seckit_various.csp_disable_for_authenticated_users');
     // $csp_policy_uri = $this->config->get('seckit_xss.csp.policy-uri');
     // Prepare directives.
     $directives = [];
@@ -280,6 +281,9 @@ public function seckitCsp() {
     // }
     // send HTTP response header if directives were prepared.
     if ($directives) {
+      if ($csp_disable_for_authenticated_users && \Drupal::currentUser()->isAuthenticated()) {
+        return;
+      }
       if ($csp_report_only) {
         // Use report-only mode.
         $this->response->headers->set('Content-Security-Policy-Report-Only', $directives);
diff --git a/src/Form/SecKitSettingsForm.php b/src/Form/SecKitSettingsForm.php
index cda4f02a7..9c3c84101 100644
--- a/src/Form/SecKitSettingsForm.php
+++ b/src/Form/SecKitSettingsForm.php
@@ -731,6 +731,14 @@ public function buildForm(array $form, FormStateInterface $form_state) {
       '#description' => $this->t('Prevent the browser from populating login/registration form fields using its autocomplete functionality. This as populated fields may contain sensitive information, facilitating unauthorized access.'),
     ];
 
+    // Ignore for authenticated users
+    $form['seckit_various']['csp_disable_for_authenticated_users'] = [
+      '#type' => 'checkbox',
+      '#default_value' => $config->get('seckit_various.csp_disable_for_authenticated_users'),
+      '#title' => 'Disable CSP directives for logged-in users',
+      '#description' => $this->t("Disable for authenticated users"),
+    ];
+    
     return parent::buildForm($form, $form_state);
   }
  • Comment about 1 month ago
    🇨🇦Canada gurpreet_chahal

    Here's the patch.

  • Comment about 1 month ago
    🇳🇿New Zealand jweowu

    > I've added the following patch and it works to ignore /admin routes.

    It seems to be ignoring authenticated users, rather than just /admin routes.

    In any case, I would again recommend using Provide hook_seckit_options_alter() D8 Needs review to implement conditional behaviour. (That feature should be merged at some point.)

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024