Problem/Motivation

Piwik PRO has the possibility to support CSP headers. This functionality would be good to be implemented in the module also.

Steps to reproduce

TBD.

Proposed resolution

We should add a new configuration for the module to enable CSP and implement the nonce settings according to the Piwik PRO documentation.

Remaining tasks

1. Functionality
2. Documentation
3. Tests

User interface changes

A checkbox type option in the module page to enable CSP.

API changes

None.

Data model changes

A new boolean field to enable CSP.

Issue fork piwik_pro-3482341

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

  • 1.4.x Comparechanges, plain diff MR !22
    • 2 hidden branches
  • 1.1.x Comparecompare
  • 3482341-add-support-for Comparecompare
About issue forks

Comments

heikkiy created an issue. See original summary.

heikkiy’s picture

heikkiy commented
Title: Add support for CSP-headers » Add support for CSP headers
heikkiy’s picture

heikkiy commented
Category: Plan » Feature request

rajeshreeputra made their first commit to this issue’s fork.

jorgik made their first commit to this issue’s fork.

jorgik opened merge request !22

jorgik’s picture

jorgik commented
Version: 1.1.x-dev » 1.4.x-dev
hartsak’s picture

hartsak commented
Status: Active » Needs work

Thanks a lot for your work with this issue @jorgik!

Could you please try to change your indenting so it would follow Drupal coding standards https://www.drupal.org/docs/develop/standards/php/php-coding-standards#i... ?

It seems there's now a lot of 4 space indenting instead of 2 spaces which makes looking at the changes a little difficult.

There's also a couple of occasions with issues like "Access to constant POLICY_ALTER on an unknown class Drupal\csp\CspEvents."

lakdev made their first commit to this issue’s fork.

lakdev’s picture

lakdev commented
Status: Needs work » Needs review

Based on the great work by @jorgik, I updated the code to the latest version and fixed all remaining code quality issues. I also made a few small refactors to leverage existing services from the CSP module and added some tests.

Hope this helps! Looking forward to a review!

hartsak’s picture

hartsak commented
Status: Needs review » Needs work

Hello @lakdev and thanks a lot for your efforts with these features!

I tested your code and as far as I could find out the nonce seems to work. I also liked a lot of that implementation where enabling the CSP mode requires a separate install of the CSP module instead of adding that module anyway. So it leaves it up to the admins to make the choice if they want to have the module or not. That's a good idea!

However, I picked up 5 deprecation warnings with phpunit testing. At least some of these seem quite simple to fix, but can you still give a look at these yourself too?

1) /var/www/html/vendor/symfony/error-handler/DebugClassLoader.php:347
Method "Symfony\Component\EventDispatcher\EventSubscriberInterface::getSubscribedEvents()" might add "array" as a native return type declaration in the future. Do the same in implementation "Drupal\piwik_pro\EventSubscriber\PiwikProCspAlterSubscriber" now to avoid errors or add an explicit @return annotation to suppress this message.

Triggered by:

* Drupal\Tests\piwik_pro\Functional\PiwikProCspIntegrationTest::testCspHeaderWithNonContainersDomain
  /var/www/html/web/modules/contrib/piwik_pro/tests/src/Functional/PiwikProCspIntegrationTest.php:370

2) /var/www/html/web/core/lib/Drupal/Core/Plugin/DefaultPluginManager.php:169
Not supporting attribute discovery in Drupal\Core\Plugin\DefaultPluginManager is deprecated in drupal:11.2.0 and is removed from drupal:12.0.0. Provide an Attribute class and an Annotation class for BC. See https://www.drupal.org/node/3395582

Triggered by:

* Drupal\Tests\piwik_pro\Functional\PiwikProCspIntegrationTest::testCspHeaderWithNonContainersDomain
  /var/www/html/web/modules/contrib/piwik_pro/tests/src/Functional/PiwikProCspIntegrationTest.php:370

3) /var/www/html/web/core/lib/Drupal/Core/Test/HttpClientMiddleware/TestHttpClientMiddleware.php:52
The core/js-cookie asset library is deprecated in Drupal 10.1.0 and will be removed in Drupal 11.0.0. There is no replacement. See https://www.drupal.org/node/3322720

Triggered by:

* Drupal\Tests\piwik_pro\Functional\PiwikProCspIntegrationTest::testCspHeaderWithNonContainersDomain
  /var/www/html/web/modules/contrib/piwik_pro/tests/src/Functional/PiwikProCspIntegrationTest.php:370

4) /var/www/html/web/core/lib/Drupal/Core/Test/HttpClientMiddleware/TestHttpClientMiddleware.php:52
Not supporting attribute discovery in Drupal\Core\Plugin\DefaultPluginManager is deprecated in drupal:11.2.0 and is removed from drupal:12.0.0. Provide an Attribute class and an Annotation class for BC. See https://www.drupal.org/node/3395582

Triggered by:

* Drupal\Tests\piwik_pro\Functional\PiwikProCspIntegrationTest::testCspHeaderWithNonContainersDomain (5 times)
  /var/www/html/web/modules/contrib/piwik_pro/tests/src/Functional/PiwikProCspIntegrationTest.php:370

5) /var/www/html/web/core/lib/Drupal/Core/Asset/LibraryDiscoveryCollector.php:179
The core/js-cookie asset library is deprecated in Drupal 10.1.0 and will be removed in Drupal 11.0.0. There is no replacement. See https://www.drupal.org/node/3322720

Triggered by:

* Drupal\Tests\piwik_pro\Functional\PiwikProCspIntegrationTest::testCspHeaderWithoutPiwikProConfiguration
  /var/www/html/web/modules/contrib/piwik_pro/tests/src/Functional/PiwikProCspIntegrationTest.php:227

The first one could be fixed by just changing this:
public static function getSubscribedEvents() {
to this
public static function getSubscribedEvents(): array {
in piwik_pro/src/EventSubscriber/PiwikProCspAlterSubscriber.php

lakdev’s picture

lakdev commented

Hi @hartsak,

Thanks for testing and your feedback! I fixed the first issue though I'm not sure whether the other ones are related to any of my code since I'm not really using those classes.

I'm running PHPUnit via DDEV Contrib - Can you maybe also explain how to see those deprecations since I'm not getting them by default?

hartsak’s picture

hartsak commented
Status: Needs work » Reviewed & tested by the community

Hello again @lakdev!

Thank you for fixing those warnings. I think we can ignore those other ones I mentioned about if you didn't see them in your own local.

I'll mark this as RTBC and let's get this merged soonish!

hartsak changed the visibility of the branch 1.1.x to hidden.

hartsak changed the visibility of the branch 3482341-add-support-for to hidden.

  • lakdev committed ddf138af on 1.4.x 
    Issue #3482341: Add return types and service check

  • lakdev committed 2b425919 on 1.4.x 
    Issue #3482341: Add CSP header tests

  • lakdev committed dae45dfa on 1.4.x 
    Issue #3482341: Use csp service for nonce generation

  • lakdev committed ba07c4aa on 1.4.x 
    Issue #3482341: Fix code check issues

  • jorgik committed 78a5c15b on 1.4.x 
    Issue #3482341: Add support for CSP headers. Add check for CSP events...

  • jorgik committed aa0ac2ce on 1.4.x 
    Issue #3482341: Add support for CSP headers. Removed commen lines

  • jorgik committed 4a1b140f on 1.4.x 
    Issue #3482341: Comment out nonce handling in CSP subscriber for...

  • jorgik committed 76a15226 on 1.4.x 
    Issue #3482341: Introduce CSP event subscriber to enhance Piwik PRO...

  • jorgik committed 636e7556 on 1.4.x 
    Issue #3482341: Refactor PiwikProSnippet to streamline CSP nonce...

  • jorgik committed e165a2bb on 1.4.x 
    Issue #3482341: Simplify NonceGenerator by removing unnecessary...

  • jorgik committed 04851c76 on 1.4.x 
    Issue #3482341: Inject nonce generator service for CSP headers support

  • jorgik committed ed7e3f50 on 1.4.x 
    Issue #3482341: Add support for CSP headers
hartsak’s picture

hartsak commented
Status: Reviewed & tested by the community » Fixed

This is now merged and added as a new release 1.4.3

Thanks a lot for all contributors especially @jorgik and @lakdev!

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

joshahubbers’s picture

joshahubbers commented

I enabled this setting on a site, and got a 500 error when viewing the site in anonymous mode. As logged in user it is working fijn. No error shows up in the drupal logs, but in the apache logs I see " Premature end of script headers: index.php". So I think something is not working correctly. I'll look into it if I can find the cause of the error.

joshahubbers’s picture

joshahubbers commented
Status: Fixed » Needs work
joshahubbers’s picture

joshahubbers commented

Hm, might be problem that the csp-headers make the header too big.

joshahubbers’s picture

joshahubbers commented

Confirmed that our header got too big, so I put this ticket back to fixed.

joshahubbers’s picture

joshahubbers commented
Status: Needs work » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.