Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
While testing a strict CSP (Header set Content-Security-Policy "default-src 'self'; report-uri /violation.php") I found that modernizr uses inline styles, preventing a strict CSP.
To reproduce, add the CSP header to the reponse, then login as user 1 on chrome Version 56.0.2924.76 (64-bit) MacOS Sierra. On the frontpage you'll see violations listed in the developer console.
Console:
Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-5uIP+HBVRu0WW8ep6d6+YVfhgkl0AcIabZrBS5JJAzs='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
f @ modernizr.min.js?v=3.3.1:3
Report via the report-uri:
{
"csp-report":{
"document-uri":"http://drupal8.dev/",
"referrer":"",
"violated-directive":"style-src",
"effective-directive":"style-src",
"original-policy":"default-src 'self'; report-uri /violation.php",
"disposition":"enforce",
"blocked-uri":"inline",
"line-number":3,
"column-number":2009,
"source-file":"http://drupal8.dev/core/assets/vendor/modernizr/modernizr.min.js?v=3.3.1",
"status-code":200
}
}
Upstream issue: https://github.com/Modernizr/Modernizr/issues/1262
Comments
Comment #2
xjmComment #5
gappleComment #6
gappleComment #13
BasH CreditAttribution: BasH commentedWhat is the status of this issue?
Just installed Drupal 9.2.8 with CSP enabled (via seckit module) and I have the same problem with version 3.11.7 of modernizr.min.js
What to do?
Comment #14
gappleThere's a stagnant PR to Modernizr https://github.com/Modernizr/Modernizr/pull/1263
AFAIK, the error from Modernizr is safe to ignore if you're not using the CSS feature detections that cause the CSP violation.
----
CKEditor 4 requires
style-src 'unsafe-inline'; style-src-attr 'unsafe-inline';
. If you're using Seckit which sets the same policy on every response, CKEditor's requirement should also stop Modernizer from triggering this violation.The Content-Security-Policy module only adds
'unsafe-inline'
when necessary for CKEditor, so Modernizer would only trigger a violation when ckeditor is not loaded on the same page.Though I wouldn't recommend it, you could implement your own subscriber to CSP module's event to alter the policy when Modernizer is added to the page as well.
Comment #18
gappleModernizr is now deprecated in 10.1, and will be removed from 11
#3239980: Deprecate Modernizr