Hi,

I've set up my CSP settings and add only script-src und style-src directives.
But if I load a node add form, the following header is responded:

Content-Security-Policy-Report-Only: script-src 'self' 'unsafe-inline' https://maps.googleapis.com https://cdnjs.cloudflare.com https://rebilly.github.io https://unpkg.com platform.instagram.com platform.twitter.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://unpkg.com; script-src-elem 'self' 'unsafe-inline' https://fonts.googleapis.com https://unpkg.com

You can see, that there is the script-src-elem directive added. But I have not configured.

My csp.settings are

report-only:
  enable: true
  directives:
    script-src:
      sources:
        - 'https://maps.googleapis.com'
      flags:
        - unsafe-inline
      base: self
    style-src:
      flags:
        - unsafe-inline
      base: self
  reporting:
    plugin: none
enforce:
  enable: false

Comments

sunlix created an issue. See original summary.

sunlix’s picture

sunlix
Primary language English
Location Wesel
commented

If I add the script-src-elem directive to the config and add a custom host string also.
There is no change to the script-src-elem directive in the responded csp header.

I've re-testet that in a fresh installation after flushing all caches next to the config change.

  • gapple committed 9786bf9 on 8.x-1.x 
    Issue #3102077: script-src-elem incorrectly added
gapple’s picture

gapple
he/they
Primary language English
commented
Status: Active » Fixed

Thanks for the bug report.

Looks like I made an error while implementing #3100068: Script/style included in AJAX responses blocked without 'unsafe-inline', causing script-src-elem to be incorrectly set based on style-src.

This will be fixed in 1.x-1.8, which will be available shortly.

gapple’s picture

gapple
he/they
Primary language English
commented

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.