Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.This module should calculate a CSP hash for each snippet, and provide the value to the Content Security Policy Module to add to the page's header value.
| Comment | File | Size | Author |
|---|---|---|---|
| #5 | attachinline-3095521-5.patch | 5.42 KB | gapple |
Comments
Comment #2
gappleCSP released #3047214: API for calculating hash of inline script/src in 8.x-1.5, but the alter event is still in progress
Comment #3
gappleThis patch won't do anything without the patch in #2895245: API for modules to alter policy, which dispatches the new event.
- Provide a service that collects hashes, and adds them to the policy when CSP dispatches its alter event.
- When rendering inline script elements, calculate the hash and register it.
The hashes are only added to a directive if
- The directive is enabled in CSP config
- The directive does not already contain
'unsafe-inline', since adding a hash to a directive disables'unsafe-inline'(which could break things like CKEditor that rely on it).Comment #4
gappleAn important note is that this won't work if
script-srcis not enabled and falls back to an enableddefault-src.A more robust solution would need to understand the directive fallback list, and duplicate + modify directives as necessary.
Comment #5
gapple#3099423: Helper for altering directives with fallback will add a helper to set a directive from a fallback if necessary - implementing it can be done in a followup for once that's merged and available in a stable release.
This is technically compatible with csp 1.5, which added
Csp::calculateHash(), but doesn't do anything until 1.6 which added the alter event.Comment #7
gapple