Contrib.social

RenderElementAttachedCspSubscriber does not detect elements with nonces added in hook_page_attachments

Open on Drupal.org →
Created on 29 August 2024, 7 months ago
Updated 6 September 2024, 7 months ago

Problem/Motivation

We're attaching a script html tag to html_head via hook_page_attachments and trying to add a nonce to the render array. This mostly works, but csp_nonce doesn't exist in the page attachments in RenderElementAttachedCspSubscriber.

Steps to reproduce

<?php

function mymodule_page_attachments(array &$attachments) {
  $placeholderKey = \Drupal::service('csp.nonce_builder')->getPlaceholderKey();
  $script = [
    '#type' => 'html_tag',
    '#tag' => 'script',
    '#value' => 'console.log("Hello, World!");',
    '#attributes' => [
      'nonce' => $placeholderKey,
    ],
    '#attached' => [
      'csp_nonce' => [
        'script' => Csp::POLICY_UNSAFE_INLINE,
      ],
      'placeholders' => [
        $placeholderKey => [
          '#lazy_builder' => ['csp.nonce_builder:renderNonce', []],
        ],
      ],
    ],
  ];

  $attachments['#attached']['html_head'][] = [$script, 'mymodule_page_attachments'];
}

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

💬 Support request
Status

Closed: works as designed

Version

2.0

Component

Code

Created by

🇦🇺Australia mstrelan

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @mstrelan
  • Merge request !44Test case → (Open) created by mstrelan
  • Status changed to Needs work 7 months ago
  • Comment 7 months ago
    🇦🇺Australia mstrelan

    Added failing test to demonstrate

  • Pipeline finished with Failed
    7 months ago
    Total: 136s
    #267639
  • Comment 7 months ago
    🇨🇦Canada gapple

    Thanks for testing out the new feature :)

    That looks right. IIRC, hook_page_attachments is called after the page contents are rendered and all the metadata is bubbled up. html_head is then rendered separately by the attachments processor without bubbling.

    ----

    Won't be an issue until something else uses csp_nonce with a fallback that's not 'unsafe-inline', but the fallback value should be an array so it can be merged.
    $attachments['#attached']['csp_nonce']['script'][] = Csp::POLICY_UNSAFE_INLINE;

  • Status changed to Closed: works as designed 7 months ago
  • Comment 7 months ago
    🇨🇦Canada gapple
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024