Consider fallback CSP directives when adding hashes [#3099536]

Currently hashes are registered to apply to a particular directive, and set on only that directive (if it is enabled). If a fallback for that directive is enabled, but not the directive itself, the hashes are not set when they should be.

e.g. default-src 'self' should result in default-src 'self'; script-src 'self' 'hash-123abc'

CSP has a proposed helper function in #3099423: Helper for altering directives with fallback

Comment	File	Size	Author
#3	attachinline-3099536-3.patch	2.15 KB	gapple

Comments

Comment #1

8 December 2019 at 00:14

gapple created an issue. See original summary.

Comment #2

gapple

he/they

English

commented 8 December 2019 at 00:22

Helper function isn't itself useful, because this module needs to consider if 'unsafe-inline' is set, but can be copied to a local helper with the necessary modifications.

Comment #3

gapple

he/they

English

commented 8 December 2019 at 00:35

Status:	Active	» Needs review
Issue tags:		+Needs tests

Status	File	Size
new	attachinline-3099536-3.patch	2.15 KB

Comment #4

8 December 2019 at 05:04

gapple committed c874551 on 8.x-1.x

Issue #3099536: Consider fallback CSP directives when adding hashes

Comment #5

gapple

he/they

English

commented 8 December 2019 at 05:05

Status:

Needs review

» Fixed

Comment #6

22 December 2019 at 05:09

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Consider fallback CSP directives when adding hashes

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Related issues

News items

Our community

Documentation

Drupal code base

Governance of community