Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Admins should be able to add additional domains to the policy through configuration.
Comment | File | Size | Author |
---|---|---|---|
#8 | csp-2895243-8.interdiff.txt | 5.93 KB | gapple |
#8 | csp-2895243-8-manual-policy.patch | 31.68 KB | gapple |
Comments
Comment #2
gappleMaybe there should be toggle options for the static properties (e.g. 'unsafe-inline'), and a separate input for domains so that each domain can be validated and warnings can be placed on the appropriate toggle items.
Comment #3
gappleReport-URI has a CSP builder that uses a vertical-tabs like interface (https://report-uri.com/home/generate/)
I've started to build out this, but it makes for a very long page if many directives are defined:
Comment #4
gappleNew iteration with the list of directives for each of the enforced and report only policies in a separate vertical tab.
Comment #5
gappleSome smaller changes that you can see:
- A master checkbox to enable each of the enforced and report-only policies. The module won't do anything if both are disabled, so I'm pondering forcing at least one to be enabled when submitting the form.
- If automated values are provided for a directive (by default script-src and style-src), it must be enabled in configuration (the checkbox is checked and disabled). This forces setting a base value (by default 'self'), otherwise a directive could be enabled by an automated value and unexpectedly block resources. For example if a module were to provide a domain for connect-src but it's not configured, any http requests to the Drupal site would get reported or blocked (e.g. autocomplete, form AJAX...)
A lot of work behind the scenes:
- Updated the configuration schema and default configuration
- Update hook to modify the config for existing sites to the new defaults.
- Saving the form actually updates configuration
- The configuration affects the generated policies
- Policy class supports boolean directives ('block-all-mixed-content', 'upgrade-insecure-requests')
Since it's now actually functional, I'll attach a patch.
Comment #7
gappleThe configuration yml will look like this:
Most directives use the same 'source-list' format as script-src and style-src, but a few directives are boolean values, or an array of keys:
Comment #8
gappleAdd tests to the patch. Interdiff also shows an extra change that snuck into the previous patch.
Comment #11
gappleWill open some follow up issues for a few remaining items, but I think this is sufficiently functional to put into a new release.