The Security Kit module currently supports most Content Security Policy (CSP) directives but is missing three important directives recommended by OWASP and Google's strict CSP guidelines:
- `base-uri`: Controls which URLs can be used in a document's base element, preventing base element injection attacks
- `form-action`: Restricts the URLs to which forms can be submitted, preventing form hijacking
- `manifest-src`: Controls the loading of web app manifests
These directives are considered essential for a comprehensive CSP implementation according to current security best practices.
1. Install and configure the Security Kit module
2. Enable CSP protection and configure various directives
3. Check the generated Content-Security-Policy header
4. Notice that `base-uri`, `form-action`, and `manifest-src` directives are not available for configuration and not included in the header
Add support for the three missing CSP directives by:
1. Extending the configuration schema in `seckit.schema.yml` to include the new directives
2. Adding form fields in `SecKitSettingsForm.php` for administrators to configure these directives
3. Updating the event subscriber in `SecKitEventSubscriber.php` to include these directives in the generated CSP header
4. Adding appropriate default values in the install configuration
This enhancement maintains backward compatibility while providing more comprehensive CSP protection options.
- [ ] Review and test the patch
- [ ] Ensure all new form fields have proper descriptions and help text
- [ ] Verify backward compatibility with existing configurations
- [ ] Update any relevant documentation
Three new form fields will be added to the Security Kit configuration form under the CSP section:
- "Base URI" field for configuring `base-uri` directive
- "Form action" field for configuring `form-action` directive
- "Manifest source" field for configuring `manifest-src` directive
Each field includes descriptive help text explaining the security purpose and recommended values (e.g., `'none'` for base-uri, `'self'` for form-action and manifest-src).
New configuration keys added to `seckit.settings`:
- `seckit_xss.csp.base-uri`
- `seckit_xss.csp.form-action`
- `seckit_xss.csp.manifest-src`
These follow the existing naming convention and are fully backward compatible.
The configuration schema is extended to include three new string fields for the additional CSP directives. Default install configuration includes empty string values for these new fields, ensuring clean
installations work without additional configuration.
Needs review
2.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.