Forward CSP nonces when inserting JS from AJAX requests

Created on 8 November 2024, about 2 months ago

Problem/Motivation

Nonces are an easy way to implement CSP in legacy Drupal 7 sites without resorting to unsafe-inline directives (which kind of defeat the purpose). Nonces also allow to make inline scripts i.e. Drupal.settings can be made working without further changes.

Apart from generating the nonce and adding it to all script-tags, there is one more adjustment needed: When inserting AJAX-loaded scripts Drupal needs to forward the nonce to these scripts. This needs a minor adjustment to misc/ajax.js.

Steps to reproduce

Enable a module that implements CSP nonces. (e.g. d7csp
Find any combination of modules that leads to scripts being loaded in AJAX requests. I‘m afraid I don’t have a simple way to do this. My configuration involves: webform + webform_ajax + webform_paymethod_select + stripe_payment.
Result: See CSP errors for unauthenticated inline scripts in the browser console.

Proposed resolution

Patch misc/ajax.js so that it forwards existing nonces to scripts loaded via AJAX.

Remaining tasks

Review to the patch.

User interface changes

None.

Introduced terminology

CSP related terminology.

API changes

None.

Data model changes

None.

Release notes snippet

tbd

✨ Feature request

Status

Active

Version

7.0 ⚰️

Component

ajax system

Created by

🇦🇹Austria torotil

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @torotil
Comment about 2 months ago →
🇦🇹Austria torotil

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024