Problem/Motivation
The main issue is the need to remove the polyfill-fastly.io library from the webform.libraries.yml file. If it is not completely removed, it appears in the CSP module as an auto source, which poses a security risk.
Currently version 6.2.3 removes the library, but since it is still named in the webform libraries file, it is included by default in CSP.
Steps to reproduce
- Check the current webform.libraries.yml file to see if the polyfill.io library is included.
- Observe the CSP module and notice that the polyfill.io library appears as an auto source.
- Understand that this auto source is flagged as a security issue.
Proposed resolution
The proposed resolution is to completely remove the polyfill-fastly.io library from the webform.libraries.yml file to prevent it from appearing in the CSP module and mitigate the security risk.
Remaining tasks
- Remove the polyfill.io library entry from webform.libraries.yml.
- Update the webform module to reflect this change.
- Test the webform module to ensure it functions correctly without the polyfill-fastly.io library.
- Verify that the polyfill.io library no longer appears in the CSP module as an auto source.
User interface changes
There should be no user interface changes as a result of this resolution. The removal of the polyfill.io library is a backend change.
API changes
There are no API changes expected with this resolution. The removal of the polyfill.io library does not affect the API.
Data model changes
No data model changes are anticipated. This resolution involves only the removal of a library from the webform.libraries.yml file.
| Comment | File | Size | Author |
|---|---|---|---|
| #10 | webform-remove-polyfill.patch | 664 bytes | p.kasianov |
| #2 | 3458611-removing-the-polyfill-io.patch | 668 bytes | thony1199 |
Comments
Comment #2
thony1199The following change removes the polyfill-fastly.io library from the webform.libraries.yml file. This library was being included for older browser support, specifically Internet Explorer 11 and earlier. The removal of this polyfill is necessary to address a security concern where it appears as an auto source in the Content Security Policy (CSP) module, potentially exposing the application to security risks.
Comment #3
cilefen commentedThat is polyfill-fastly.io not polyfill.io.
#3427662: polyfill.io Library is no longer considered safe to use
Comment #4
thony1199Comment #5
cilefen commentedIn what way is polyfill-fastly.io a security risk?
Comment #6
liam morlandI understand that the library is only there for compatibility with IE 11. Since that is no longer supported by Drupal core, it should be removed anyway.
Comment #7
cilefen commentedThat’s not a security reason, to be clear.
Comment #8
robloachWhat @thony1199 brought up originally is about using a strict Content Security Policy, which can block external network requests. It's best to bring down external libraries, and serve them directly through Drupal.
Whether or not that's the primary concern, it does make sense to remove this library outright. Internet Explorer was retired two years ago on June 15, 2022, and is no longer supported by Drupal. The polyfill is no longer needed.
Comment #9
ressaI agree @Liam Morland and @RobLoach, removing the redundant Polyfill library makes sense. Leaflet and Geofield Map contrib modules recently removed it altogether, since it's not needed anyway.
About using CDN's such as polyfill-fastly.io ... It is safe to use today, but what happens if Fastly is bought up and closed, goes bankrupt, or something else, and the domain is squatted in two years time, just like polyfill.io was ...
As a general observation about managing script libraries, see for example Collapsiblock, which has decided to pragmatically include a needed library in the module, making life easier for the end user:
From #3392947-8: Update readme to reflect JS library download no longer required, see also https://git.drupalcode.org/project/collapsiblock#js-library.
In my opinion, it would be prudent to revise the "Policy on 3rd party assets on Drupal.org > Third party libraries" page, which currently says:
From https://www.drupal.org/node/422996#libraries
It could be relaxed a bit, to something like this:
As I see it, it could ease the burden for module maintainers, and make life easier for module end users, if it wasn't strongly discouraged to include a small library in a contrib module.
Alternatively, the Drupal community could make a handful of Composer packages for the most popular JavaScript libraries, so that module maintainers could
require drupal/javascript-library-xyzmaking sure the end users always get the latest, safest version?Partially from #3426106-11: Polyfill.io is no longer considered safe and should be removed, where I got these very valid counter arguments by @mcdruid:
Comment #10
p.kasianov commentedHi,
added patch for 6.2.7
Comment #13
liam morland