- Issue created by @gapple
Content Security Policy is a browser feature that helps prevent XSS and other attacks by sending a header that informs the browser of trusted sources for page resources. In modern browsers, it replaces the use of X-Frame-Options
with the directive frame-ancestors
.
11.1.0 Added a new service parameter, http.response.content_security_policy
, but defined it with an empty value.
For backwards compatibility with X-Frame-Options
, the default policy is set by \Drupal\Core\EventSubscriber\FinishResponseSubscriber::onRespondSetCspPolicy
, with the value of any X-Frame-Options
header translated to a frame-ancestors
directive.
Remove \Drupal\Core\EventSubscriber\FinishResponseSubscriber::onRespondSetCspPolicy
, and instead define the default policy in core.services.yml and default.services.yml.
None
Drupal 11.x set a default Content-Security-Policy
header that included any X-Frame-Options
header translated to a corresponding frame-ancestors
directive if a value was not set for the http.response.content_security_policy
service parameter.
In Drupal 12.0 and later, the Content-Security-Policy header is only set by the value of the http.response.content_security_policy
service parameter.
Postponed
11.0 π₯
Last updated
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
A change record needs to be drafted before an issue is committed. Note: Change records used to be called change notifications.