Contrib.social

Check that the CSP header is added to SVG files

Open on Drupal.org →
Created on 18 May 2025, 2 months ago

Problem/Motivation

This is a followup to #2868079: Add a default Content-Security-Policy-header for svg files .
This issue adds a CSP header for SVG files.
It would be useful to have a check in the status report that makes sure this CSP is added correctly.
However, this has some challenges:

  • We need to write a SVG file then remove it.
  • The site needs to be able to send a HTTP request to itself.

We can't always guarantee this, especially when running the checks in a CLI environment.

Steps to reproduce

Proposed resolution

Some work was started here: https://git.drupalcode.org/project/drupal/-/blob/a70fae35ca4f0a09a5e5665...

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Feature request
Status

Postponed

Version

11.0 🔥

Component

other

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024