Hide 'strict-dynamic' from directive config

Created on 13 June 2024, 10 months ago

Updated 28 June 2024, 10 months ago

Problem/Motivation

'strict-dynamic' requires a hash or nonce to authorize corresponding assets since any other sources, like 'self' or domains, are ignored once it is enabled. Enabling it in the config form is likely to only block all assets since the module doesn't compute either.
A site currently wanting to use 'strict-dynamic' would need to alter the library asset elements rendered by core (to add a nonce, or to compute hashes), so should be adding 'strict-dynamic' in their own event subscriber as well.

Proposed resolution

Remove 'strict-dynamic' from the options that can be enabled for script-src on the configuration page.

Remaining tasks

User interface changes

API changes

Data model changes

📌 Task

Status

Fixed

Version

2.0

Component

Code

Created by

🇨🇦Canada gapple

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @gapple

Comment 10 months ago →

System Message

gapple → committed b14f7ae0 on 2.x

Issue #3454522: Hide 'strict-dynamic' from directive config options

Status changed to Fixed 10 months ago12:08am 14 June 2024
Comment 10 months ago →
🇨🇦Canada gapple
Comment 10 months ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024