Use of inline script is not compatible with a content-security policy

Open on Drupal.org →

Created on 31 July 2024, 4 months ago

Problem/Motivation

The default `navigation.html.twig` has this in the footer

<script>
  if (localStorage.getItem('Drupal.navigation.sidebarExpanded') !== 'false' && (window.matchMedia('(min-width: 1024px)').matches)) {
    document.documentElement.setAttribute('data-admin-toolbar', 'expanded');
  }
</script>

This is not compatible with a content security policy that prevents unsafe-inline

Steps to reproduce

Enable CSP (e.g use CSP module or seckit module or nginx rules)
Login and see error in page.

Proposed resolution

Move the script to a file and use attach_library.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Active

Version

11.0 🔥

Component

Last updated about 7 hours ago

No maintainer

Created by

🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10

Live updates comments and jobs are added and updated live.

Novice
It would make a good project for someone who is new to the Drupal contribution process. It's preferred over Newbie.

Sign in to follow issues

Merge Requests

!9047Use of inline script is not compatible with a content-security policy
Open
🇪🇸Spain abarrio
updated 4 months ago

Comments & Activities

Issue created by @larowlan
First commit to issue fork.
Assigned to bhaveshdas
Comment 4 months ago →
🇮🇳India bhaveshdas
Issue was unassigned.
Comment 4 months ago →
🇮🇳India bhaveshdas
Comment 4 months ago →
🇪🇸Spain abarrio
abarrio → changed the visibility of the branch 3464841-use-of-inline to hidden.
Merge request !9047Issue #3464841: Move js code from twig → (Open) created by abarrio
Comment 4 months ago →
🇪🇸Spain abarrio
Created merge with the js code moved to file 'admin-toolbar-wrapper.js'.
Status changed to Needs review 4 months ago4:07pm 2 August 2024
Comment 4 months ago →
🇪🇸Spain abarrio
Pipeline finished with Failed
4 months ago
Total: 173s
#241926
Status changed to Needs work 4 months ago9:11pm 4 August 2024
Comment 4 months ago →
🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10
Thanks for this - there's some linting fails in the new file if you could resolve those - thanks!
Pipeline finished with Failed
4 months ago
#243810
Pipeline finished with Failed
4 months ago
Total: 519s
#243813
Comment 4 months ago →
🇪🇸Spain abarrio
Fixed coding standard but still needs a work on tests.
Comment 2 months ago →
🇪🇸Spain rodrigoaguilera Barcelona
Comment 2 months ago →
🇷🇸Serbia finnsky
Inlining this script wasn't mistake. We wanted to have it executed right after render to avoid script loading. And use localstorage in most fastest way.

For me it is obvious not a Novice issue.
Since here we need to find golden middle between script execution time and CSP requirements.
Comment 2 months ago →
🇮🇳India nayana_mvr
I'm unable to reproduce this issue in D11 local setup navigation module enabled. I tried with CSP(Content Security Policy) module and Seckit (Security Kit) module. Couldn’t find any module named nginx rules. Is there any specific configuration to be done in the CSP or Seckit module to get that error? Also, does the error occur in login page itself or any of the admin page?
Comment 2 months ago →
🇮🇳India nayana_mvr
Attaching screen recording for reference.
Comment about 2 months ago →
🇷🇸Serbia finnsky
@nayana_mvr
What can we do here?
The best thing is to add an instantly executable script(library) that will have no dependencies and will have the smallest weight. And doing the same thing that the inline script does now. It doesn't need Drupal or once. It even can start earlier than navigation is rendered.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024