Problem/Motivation

If a site happens to disable unsafe- directives for CSP, effectively having the strictest CSP, the progress bar will not load because the default template (core/modules/system/templates/progress-bar.html.twig) uses <div style>

screenshot

Steps to reproduce

Enable CSP module, or any other method of using CSP, ensure all unsafe- directives are disabled.

CSP module settings:

screenshot

Proposed resolution

Do something else that doesnt use `style` attribute.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#4 csp-settings.png71.83 KBdpi
#3 progress-bar-drupal.png86.17 KBdpi

Comments

dpi created an issue. See original summary.

quietone’s picture

quietone commented
Version: 11.2.x-dev » 11.x-dev

Hi, If this problem was discovered on a version of Drupal that is not 11.x, add that information in the issue summary and leave the version at 11.x. In Drupal core changes are made on on 11.x (our main development branch) first, and are then back ported as needed according to the Core change policies. Thanks.

dpi’s picture

dpi
Location Perth, Australia
commented
Issue summary: View changes
StatusFileSize
new progress-bar-drupal.png86.17 KB
dpi’s picture

dpi
Location Perth, Australia
commented
Issue summary: View changes
StatusFileSize
new csp-settings.png71.83 KB
angel_devoeted’s picture

angel_devoeted commented

Hi, thanks for sharing this.

The described behavior makes sense with strict CSP. Before discussing a specific resolution, I think it would be helpful to clarify whether strict CSP compatibility for the progress bar is considered in scope for core, given that it’s primarily used in admin/batch contexts where CSP is often excluded.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Related issues: +#1477550: Bring progressbar to the postmodern era

One fix would be to convert the progress bar to use the <progress> element?

https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/pro...

#1477550: Bring progressbar to the postmodern era is somewhat dated but also suggests that as an option.

dpi’s picture

dpi
Location Perth, Australia
commented

given that it’s primarily used in admin/batch contexts where CSP is often excluded.

If there is any place CSP should be on above all others, is when a user with privileged access is authenticated.

For the CSP module, there is no delineation between roles or front/admin theme. Its either on, in reporting mode, or off: globally.

Drupal should aim for as strict as possible compliance, though it hasnt been prioritized as far as I know. Besides, the problem at hand, inline styles and script, are also not best practice either.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.