Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Provide patches to other modules implementing the Policy Alter event.
-
Googalytics
Needs to add domain where tracking data is sent toimg-src
andconnect-src
#3097993: Integration with Content Security Policy -
Google Analytics
Needsscript-src 'unsafe-inline'; script-src-elem 'unsafe-inline'
😔,img-src
, andconnect-src
-
IE9 Compatibility
Needsstyle-src 'unsafe-inline'; style-src-elem 'unsafe-inline'
when CSS aggregation is disabled, or in maintenance mode.
#3099403: Alter Content Security Policy when >32 CSS files are required. -
Attach Inline
Add hash for each attached script
#3095521: Provide Content Security Policy hashes
Comments
Comment #2
gappleComment #3
gappleI'm not sure if CDN could need to make alterations for certain configurations.
Comment #4
GrimreaperHello,
Thanks a lot for the module. I have been aware of security headers last week. And was a little bit frustrated to have to put a global config server side. Someone pointed me to the module, and yes being able to have fined grained behavior to maximize security while allowing features to work is amazing!
Here is a patch for Matomo: #3137978-2: Support Content-Security-Policy
I will try to also do one for Blazy.
Comment #5
GrimreaperBlazy patch: #3137987-2: Support Content-Security-Policy
Comment #6
gappleThank you for opening those issues and creating patches.
----
The end result is the same, but in other modules instead of using a service provider to conditionally register the event handler service, I've defined the service in YML and then conditionally registered for the event:
Matomo and Blazy make global alterations to the policy, so don't require additional services, but defining the the event subscriber in YML is likely preferable in cases where other services need to be injected.
Comment #7
GrimreaperOk.
Because as you can see on #3137978-2: Support Content-Security-Policy, the patch provoked errors when the csp code is not present.
I only saw this commit https://git.drupalcode.org/project/ga/commit/ec73309. I didn't see that you made some changes in the event subscriber class.
Yes, I prefer YAML too.
Comment #8
gappleYeah, I broke things with that commit because I didn't test a site without CSP enabled first 😬
Comment #9
bburgI'm making a request to integrate the bg_image_formatter module as well. I've filed a corresponding issue #3166469: Integrate with Content Security Policy.
Is there any documentation on setting up module integrations for CSP?
Comment #10
gappleThere isn't yet a documentation page.
CSP's handling for Drupal Core and the listed modules in this issue currently provide examples of a few use cases:
- A global alteration to the policy
- Alterations based on enabled modules
- Alterations based on libraries attached to the page
- Registering alterations based on render element attributes
Comment #11
bburgCan you point to any examples of dynamically adding a nonce to the CSP?
Comment #12
gappleFirst, there are some important considerations about using hashes or nonces to authorize scripts:
- nonces can only be used to authorize
<script>
or<style>
elements, not attributes on other elements.- hashes can only be used to authorize attributes in browsers that support CSP Level 3, in combination with the
'unsafe-hashes'
directive- hashes can only authorize external scripts in browsers that support CSP Level 3
- Using a hash or nonce will override
'unsafe-inline'
(ckeditor relies onscript-src-attr 'unsafe-inline'
; AJAX responses may need to add additional script elements on the page, which currently relies onscript-src-elem 'unsafe-inline'
)For an example, the Attach Inline module uses hashes by default to authorize its scripts, but can optionally configured to use a nonce instead.
- The module retrieves a nonce from the module's CSP Event Subscriber, adds the
nonce
attribute to the element being rendered, and registers the necessary directives (https://git.drupalcode.org/project/attachinline/-/blob/8.x-1.x/src/Asset...)- The event subscriber then alters the registered directives to include the nonce, with consideration for the presence of
'unsafe-inline'
(https://git.drupalcode.org/project/attachinline/-/blob/8.x-1.x/src/Event...)The most restrictive policy possible with an inline script element and a nonce will depend on page content:
With only CKEditor:
with only AJAX:
with both:
Comment #13
bburgOn CSP support, the only questionable item is whether Safari supports it. I can't get straight answer so far anywhere on whether Sarafri 13 supports it, I've only found https://caniuse.com/#search=Content%20security%20policy%20level. But, it still seems prudent to work toward this.
My big motivation is to address a design pattern that my company has used for a few years now of using inline attributes to set background images. I see https://www.drupal.org/project/bg_image_formatter as the solution to this. Which will have several benefits, including a potentially easier implementation of a CSP (assuming an integration is done).
The bg_image_formatter module appears to generate a
element in the head, so a nonce seems like what is appropriate. I'm aware of the CKEditor issue, and appreciate this module's handling of it so far. It's striking my just now that we can probably use the attachinline module to basically handle this for us. I'm giving it a try.Comment #14
bburgSo I was able to convince the maintainer of bg_image_formatter to adopt attach inline as a dependency for a 3.x version https://git.drupalcode.org/project/bg_image_formatter/-/commit/5023c0d02....
I am also now a co-maintainer of that module.
I am testing it out to see if this works. Right now, it will render the nonce on the
element, but it does not include the nonce (or hash in the CSP). Is there a step I am missing?Comment #15
gappleAttach Inline will only add hashes to a directive if it or a fallback directive is enabled in configuration, and the directive does not include
'unsafe-inline'
.Any page with the Drupal AJAX library attached currently requires
style-src 'unsafe-inline'; style-src-elem 'unsafe-inline'
, but enabling the CSP Extras module added in CSP 8.x-1.13 will override core to remove this requirement.Comment #16
egranty CreditAttribution: egranty commentedSafari does support CSP 3, but not fully and with some bugs (12.1.1 was tested):
'hash-value'
is supported for inline scripts, but not for external.'nonce-value'
is supported both for inline scripts and external ones.'unsafe-hashes'
is not supported.'sctrict-dynamic'
is not supported (more precisely - partially supported with awful consequences).Comment #17
ChrisSnyderEditoria11y support: #3388093: Support Content Security Policy (csp)
Comment #18
gappleI think this issue has finished its usefulness - the most notable modules I'm aware of have support.
Feel free to ping me in Slack or open another issue for help supporting a particular module :)