Hide 'strict-dynamic' from directive config

Created on 13 June 2024, 13 days ago

Updated 14 June 2024, 13 days ago

Problem/Motivation

'strict-dynamic' requires a hash or nonce to authorize corresponding assets since any other sources, like 'self' or domains, are ignored once it is enabled. Enabling it in the config form is likely to only block all assets since the module doesn't compute either.
A site currently wanting to use 'strict-dynamic' would need to alter the library asset elements rendered by core (to add a nonce, or to compute hashes), so should be adding 'strict-dynamic' in their own event subscriber as well.

Proposed resolution

Remove 'strict-dynamic' from the options that can be enabled for script-src on the configuration page.

Remaining tasks

User interface changes

API changes

Data model changes

📌 Task

Status

Fixed

Version

2.0

Component

Code

Created by

🇨🇦Canada gapple

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @gapple

Comment 13 days ago →

System Message

gapple → committed b14f7ae0 on 2.x

Issue #3454522: Hide 'strict-dynamic' from directive config options

Status changed to Fixed 13 days ago12:08am 14 June 2024
Comment 13 days ago →
🇨🇦Canada gapple

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024