- Issue created by @gapple
Content Security Policy is a browser feature that helps prevent XSS and other attacks by sending a header that informs the browser of trusted sources for page resources. In modern browsers, it replaces the use of X-Frame-Options with the directive frame-ancestors.
11.1.0 Added a new service parameter, http.response.content_security_policy, but defined it with an empty value.
For backwards compatibility with X-Frame-Options, the default policy is set by \Drupal\Core\EventSubscriber\FinishResponseSubscriber::onRespondSetCspPolicy, with the value of any X-Frame-Options header translated to a frame-ancestors directive.
Remove \Drupal\Core\EventSubscriber\FinishResponseSubscriber::onRespondSetCspPolicy, and instead define the default policy in core.services.yml and default.services.yml.
None
Drupal 11.x set a default Content-Security-Policy header that included any X-Frame-Options header translated to a corresponding frame-ancestors directive if a value was not set for the http.response.content_security_policy service parameter.
In Drupal 12.0 and later, the Content-Security-Policy header is only set by the value of the http.response.content_security_policy service parameter.
Postponed
11.0 π₯
Last updated
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
A change record needs to be drafted before an issue is committed. Note: Change records used to be called change notifications.