While testing a strict CSP (Header set Content-Security-Policy "default-src 'self'; report-uri /violation.php") I found that modernizr uses inline styles, preventing a strict CSP.

To reproduce, add the CSP header to the reponse, then login as user 1 on chrome Version 56.0.2924.76 (64-bit) MacOS Sierra. On the frontpage you'll see violations listed in the developer console.

Console:

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-5uIP+HBVRu0WW8ep6d6+YVfhgkl0AcIabZrBS5JJAzs='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
f @ modernizr.min.js?v=3.3.1:3

Report via the report-uri:

{  
   "csp-report":{  
      "document-uri":"http://drupal8.dev/",
      "referrer":"",
      "violated-directive":"style-src",
      "effective-directive":"style-src",
      "original-policy":"default-src 'self'; report-uri /violation.php",
      "disposition":"enforce",
      "blocked-uri":"inline",
      "line-number":3,
      "column-number":2009,
      "source-file":"http://drupal8.dev/core/assets/vendor/modernizr/modernizr.min.js?v=3.3.1",
      "status-code":200
   }
}

Upstream issue: https://github.com/Modernizr/Modernizr/issues/1262

Comments

Heine created an issue. See original summary.

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Version: 8.3.x-dev » 8.4.x-dev

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.0-alpha1 will be released the week of January 17, 2018, which means new developments and disruptive changes should now be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

gapple’s picture

gapple
he/they
Primary language English
CreditAttribution: gapple as a volunteer commented
Related issues: +#2513356: Add a default CSP and clickjacking defence and minimal API for CSP to core
gapple’s picture

gapple
he/they
Primary language English
CreditAttribution: gapple as a volunteer commented
Issue tags: +Content Security Policy

Version: 8.6.x-dev » 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

BasH’s picture

BasH CreditAttribution: BasH commented

What is the status of this issue?
Just installed Drupal 9.2.8 with CSP enabled (via seckit module) and I have the same problem with version 3.11.7 of modernizr.min.js
What to do?

gapple’s picture

gapple
he/they
Primary language English
CreditAttribution: gapple as a volunteer commented

There's a stagnant PR to Modernizr https://github.com/Modernizr/Modernizr/pull/1263

AFAIK, the error from Modernizr is safe to ignore if you're not using the CSS feature detections that cause the CSP violation.

----

CKEditor 4 requires style-src 'unsafe-inline'; style-src-attr 'unsafe-inline';. If you're using Seckit which sets the same policy on every response, CKEditor's requirement should also stop Modernizer from triggering this violation.

The Content-Security-Policy module only adds 'unsafe-inline' when necessary for CKEditor, so Modernizer would only trigger a violation when ckeditor is not loaded on the same page.
Though I wouldn't recommend it, you could implement your own subscriber to CSP module's event to alter the policy when Modernizer is added to the page as well.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

gapple’s picture

gapple
he/they
Primary language English
CreditAttribution: gapple as a volunteer commented
Status: Active » Closed (duplicate)
Related issues: +#3239980: Deprecate Modernizr

Modernizr is now deprecated in 10.1, and will be removed from 11

#3239980: Deprecate Modernizr