Support for configuring script-src-elem

Created on 17 March 2025, 3 months ago

Problem/Motivation

Seckit does not include a place to configure the CSP `script-src-elem` directive.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cont...

CSP will fall back to using the `script-src` directive if the `script-src-elem` directive is missing, but it means that we can't use the seckit module to configure what domains we wish to allow in a

tag versus general script-src.

Steps to reproduce

Go to /admin/config/system/seckit and see that there is no field for configuring script-src-elem

Proposed resolution

Provide a field for configuring script-src-elem and outputting that directive in the CSP headers.

Remaining tasks

User interface changes

API changes

Data model changes

✨ Feature request

Status

Active

Version

2.0

Component

Code

Created by

🇺🇸United States apotek

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @apotek
Comment 3 months ago →
🇺🇸United States apotek
Assigned to mglaman
Comment 3 days ago →
🇺🇸United States mglaman WI, USA
I'll be picking this up.
Comment 3 days ago →
🇺🇸United States mglaman WI, USA
Actually, @apotek if script-src-elem isn't configured, should we default by populating it with the values of script-src? We encountered this because FF was failing but no other browsers due to missing script-src-elem even though we have script-src

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024