Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Due to DigiD audit the compression of:
- cached pages
- javascript
- css
has to be disabled
Comment | File | Size | Author |
---|---|---|---|
#2 | disable-gzip-prod-2858039.patch | 1.54 KB | ralphvdhoudt |
Comments
Comment #2
ralphvdhoudt CreditAttribution: ralphvdhoudt at ezCompany commentedComment #3
mvwensen CreditAttribution: mvwensen commentedWhy it is disabled:
https://en.wikipedia.org/wiki/BREACH_%28security_exploit%29
Tested and applied the patch, works as advertised.
Comment #4
mvwensen CreditAttribution: mvwensen commentedThe patch as is works correct, but we need to find an alternative for the "aggregate and compress css" setting.
This setting should be split up or we should use something like https://www.drupal.org/project/advagg
Comment #5
askibinski CreditAttribution: askibinski at ezCompany commentedFirst of all, the description in this issue is wrong.
Javascript is no issue here.The two settings which are relevant are these:1. Compress cached pages.
2. Aggregate and compress CSS files.
The first one is not a problem. The second one is compression AND aggregation. We only want to disable compression CSS files.
Comment #6
askibinski CreditAttribution: askibinski at ezCompany commentedCSS and JSS compression are seperate variables, see also settings.php:
Comment #7
askibinski CreditAttribution: askibinski at ezCompany commentedComment #8
Heine CreditAttribution: Heine commentedWhy is the compression of aggregate JS and CSS an issue with Breach? Do those files contain secrets?
There is a need to disable compression of HTML. Note that PHP's zlib also compresses automatically. Maybe set http://php.net/manual/en/zlib.configuration.php#ini.zlib.output-compression in htaccess / via ini_set?
Comment #9
ruudvanoijen CreditAttribution: ruudvanoijen at ezCompany commentedhttps://css-tricks.com/the-difference-between-minification-and-gzipping/
I believe aggregation shouldn't be affected and if the files can't be gezipped I request that the near best thing would be to minify the files css when they are aggregated.
Or is it a possibility to fix it as it states in wiki of mvwensen comment.
As a result, clients and servers are either forced to disable HTTP compression completely (thus reducing performance), or to adopt workarounds to try to foil BREACH in individual attack scenarios, such as using cross-site request forgery (CSRF) protection.[3]
Another suggested approach is to disable HTTP compression whenever the referrer header indicates a cross-site request, or when the header is not present.[4][5] This approach allows effective mitigation of the attack without losing functionality, only incurring a performance penalty on affected requests.
Comment #10
bertboerland CreditAttribution: bertboerland commentedwrt #8,
Is this an issue after all? I hardly think so.
Comment #11
frankschaap CreditAttribution: frankschaap at ezCompany for Gemeente Drimmelen commentedThe primary issue is that there is no use in arguing with auditors. If their POV is 'disable gzip' then that is the hoop we need to jump through.
Of course BREACH needs mitigation on our side and there are several ways in which we could do that, but thanks to the auditors we need to disable gzip. Period.
I do very much agree that we should enable all other performance options, such as aggregating, minifying, etc.
Comment #12
ralphvdhoudt CreditAttribution: ralphvdhoudt at ezCompany commentedUsing the following settings in settings.php solves the issue for the DigiD audit without changing the DVG feature
The reason this is needed is because the DigiD audit requires it. Aurguing that it is irrelevant was/is not sufficient for the audit to create green flags.