- Issue created by @kruser
- π¬π§United Kingdom mcdruid π¬π§πͺπΊ
.. a site must have seckit's CSP reporting functionality enabled
...isn't necessarily as simple as one checkbox, unfortunately.
Generally if you don't have seckit's overall CSP functionality enabled at all, the endpoint for receiving violation reports will be switched off.
In the 7.x branch, reports will not be processed (even if CSP if enabled) if:
- The overall "disable seckit" option is enabled.
- The report-uri value is empty.
See: https://git.drupalcode.org/project/seckit/-/blob/7.x-1.x/seckit.module?r...
In the 2.x branch it doesn't look like the reporting endpoint gets disabled regardless of the settings; I have a feeling there's an issue open to change that.
- π¬π§United Kingdom mcdruid π¬π§πͺπΊ
As for which D10/11 core releases include the improvements to log parsing which mean that this issue doesn't affect them...
https://www.drupal.org/project/drupal/issues/2481349#comment-15427053 π Prevent the use of placeholders that cannot be converted into strings when creating logs Fixed
The commit was 4th February 2024 and was...
.. Backported to 10.2.x as a low risk bug fix.
Committed and pushed 367e57e7bc to 11.x and a335588be2 to 10.2.x.
Looking at the list of core releases (not sure if there's a better place to see a listing along the with dates for each, but one way of seeing it is to look at a specific release node e.g. https://www.drupal.org/project/drupal/releases/10.3.4 β ), the relevant ones seem to be:
10.2.7 - 6 June 2024 10.3.0-rc1 - 5 June 2024 10.3.0-beta1 - 17 May 2024 10.2.6 - 1 May 2024 10.4.x-dev - 30 April 2024 10.2.5 - 3 April 2024 10.2.4 - 6 March 2024 10.3.x-dev - 21 February 2024 10.2.3 - 7 February 2024 10.1.8 - 17 January 2024 10.2.2 - 17 January 2024
So we might assume that all stable 10.3.x releases have the change, and it was most likely included in 10.2.3
Checking that: https://git.drupalcode.org/project/drupal/-/blob/10.2.3/core/lib/Drupal/...
Yes, it was included in 10.2.3 - so that release any anything more recent should be unaffected.
At the time of issuing the SA, the most recent Security Release of 10.2.x is still 10.2.2 from a few weeks before that change was committed, which is why the 2.x branch of seckit was still included in the SA.
- Status changed to Fixed
7 months ago 8:51am 12 September 2024 - π¬π§United Kingdom mcdruid π¬π§πͺπΊ
Hopefully clarification has been provided, so closing as we don't need more open issues in the queue :)
Automatically closed - issue fixed for 2 weeks with no activity.