Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem/Motivation
Non-core service definitions are loaded after core's, which will cause module event subscribers with the same priority to execute later. As a result, core will:
(1) In normal cases likely never execute the line of code to append to an existing Permissions-Policy header
(2) Always have its header value overwritten by any other implementation
The results in a section of code that is normally unreachable, but with the potential for unexpected behaviour in non-typical circumstances.
Steps to reproduce
- Add the Permissions Policy module to a site
- In the module's configuration, enable the 'Enforced' policy and a directive (e.g. set geolocation to 'empty')
- Inspect the headers of a response
Because the module's subscriber has the same priority as core's subscriber (both use the default of 0), its value completely replaces the core value.
Proposed resolution
Core should only set a default value if a Permissions-Policy header is not already set, and not attempt to modify any existing value.
Remaining tasks
None
User interface changes
None
API changes
None
Data model changes
None
Release notes snippet
Issue fork drupal-3218139
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #3
gappleComment #4
gappleComment #5
longwaveThe justification for this issue is good, and this simplifies the code/makes it less surprising to users who might use Permissions-Policy elsewhere.
Comment #8
catchThis makes sense. Committed/pushed to 9.3.x and cherry-picked to 9.2.x, thanks!