For a project i was developing on I needed to implement the Expect-CT headers.
Unfortunately this was not implemented to SecKit yet so I've made a patch for this.
Hope it's good enough.

Based on: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

CommentFileSizeAuthor
#6 2962380-6-seckit-expect-ct.patch4.21 KBnironan
#3 2962380-3.patch6.24 KBmcdruid
seckit-expect-ct.patch5.99 KBjochemh

Comments

jochemh created an issue. See original summary.

aspilicious’s picture

aspilicious commented
Status: Needs review » Reviewed & tested by the community

Looking good, and has a test

mcdruid’s picture

mcdruid commented
Status: Reviewed & tested by the community » Needs review
StatusFileSize
new 2962380-3.patch6.24 KB

Thanks!

I've re-rolled this so that it applies to 8.x-1.x again, and tidied a couple of things up.

I wonder whether we should also add a route/controller for the report-uri, in the same way we record CSP violations.

Details of what should be sent: https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02#section-3

I don't think we need to block this going on on that todo though; in some cases the reports may go to a totally different site/domain.

  • mcdruid committed b37d98e on 8.x-1.x 
    Issue #2962380 by jochemh, mcdruid: Add support for the Expect-CT header
mcdruid’s picture

mcdruid commented
Version: 8.x-1.x-dev » 7.x-1.x-dev
Assigned: jochemh » Unassigned
Status: Needs review » Patch (to be ported)

Thanks! Ready for backport to D7.

nironan’s picture

nironan commented
StatusFileSize
new 2962380-6-seckit-expect-ct.patch4.21 KB

First backport attemp, hope it's ok!

  • mcdruid committed 24c47b9 on 7.x-1.x authored by nironan 
    Issue #2962380 by jochemh, mcdruid, nironan: Add support for the Expect-...
mcdruid’s picture

mcdruid commented
Status: Patch (to be ported) » Fixed

Thanks!

I made a couple of small tweaks to the backport; one to fix a typo in a comment, and the other to change to the older array syntax (which is still the standard in D7 code):

diff -u b/includes/seckit.form.inc b/includes/seckit.form.inc
--- b/includes/seckit.form.inc
+++ b/includes/seckit.form.inc
@@ -455,11 +455,11 @@
     '#title' => t('Max-Age'),
     '#description' => t('Specify Max-Age value in seconds.'),
     '#default_value' => $options['seckit_ct']['max_age'],
-    '#states' => [
-      'required' => [
-        'input[name="seckit_ct[expect_ct]"]' => ['checked' => TRUE],
-      ],
-    ],
+    '#states' => array(
+      'required' => array(
+        'input[name="seckit_ct[expect_ct]"]' => array('checked' => TRUE),
+      ),
+    ),
   );
   // Expect-CT report-uri directive
   $form['seckit_ct']['report-uri'] = array(
diff -u b/seckit.module b/seckit.module
--- b/seckit.module
+++ b/seckit.module
@@ -618,7 +618,7 @@
  * Sends Excpect-CT HTTP response header.
  *
  * Implementation is based on specification draft
- ost* available at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT.
+ * available at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT.
  */
 function _seckit_expect_ct() {
   $options = _seckit_get_options();

Other than that, this was great - committed to 7.x-1.x ... thank you to all contributors!

  • mcdruid committed 2c91a4f on 8.x-1.x 
    Issue #2962380 by mcdruid: Fix tiny codesniffer nit

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.