[12.x] Set default Content-Security-Policy in services.yml

Created on 6 September 2024, about 2 months ago

Problem/Motivation

Content Security Policy is a browser feature that helps prevent XSS and other attacks by sending a header that informs the browser of trusted sources for page resources. In modern browsers, it replaces the use of X-Frame-Options with the directive frame-ancestors.

11.1.0 Added a new service parameter, http.response.content_security_policy, but defined it with an empty value.
For backwards compatibility with X-Frame-Options, the default policy is set by \Drupal\Core\EventSubscriber\FinishResponseSubscriber::onRespondSetCspPolicy, with the value of any X-Frame-Options header translated to a frame-ancestors directive.

Proposed resolution

Remove \Drupal\Core\EventSubscriber\FinishResponseSubscriber::onRespondSetCspPolicy, and instead define the default policy in core.services.yml and default.services.yml.

Remaining tasks

User interface changes

None

API changes

Draft Change Record

Drupal 11.x set a default Content-Security-Policy header that included any X-Frame-Options header translated to a corresponding frame-ancestors directive if a value was not set for the http.response.content_security_policy service parameter.

In Drupal 12.0 and later, the Content-Security-Policy header is only set by the value of the http.response.content_security_policy service parameter.

πŸ“Œ Task
Status

Postponed

Version

11.0 πŸ”₯

Component
BaseΒ  β†’

Last updated about 6 hours ago

Created by

πŸ‡¨πŸ‡¦Canada gapple

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Needs change record

    A change record needs to be drafted before an issue is committed. Note: Change records used to be called change notifications.

Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024