Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Motivations to this task:
- Problem with CKEditor - incompatible with CSP: https://www.drupal.org/project/seckit/issues/2604236
- "because you can't even edit views settings when CSP is enabled. (and unsafe-eval is disabled)" - https://www.drupal.org/project/seckit/issues/2844205
The proposal is to be able to add path-based configuration override to the SecKit config.
Let's say you have a CKEditor on node add / edit pages that's only accessible for admins.
You have only one choice right now: allow unsafe-* things for everyone in CSP.
With this proposal, you'd be able to add a config override for:
node/add/*
and
node/*/edit
And activate the `unsafe-*` directives only there, which limits the possible source of attacks.
The proposed configuration form change:
| Comment | File | Size | Author |
|---|---|---|---|
| #7 | 3064813-seckit-config-override-7.patch | 46.77 KB | aron novak |
| #6 | 3064813-seckit-config-override-6.patch | 46.13 KB | aron novak |
| Screenshot_20190628_152359.png | 49.23 KB | aron novak |
Comments
Comment #2
aron novakThe patch is just the start.
Still need to:
- handle configuration saving / loading
- properly delete the selected override
- use the proper override in
web/modules/contrib/seckit/src/EventSubscriber/SecKitEventSubscriber.phpComment #3
aron novakThe config storage part is there, the form is partially converted to be able to use default values either from the base config or from the override.
Comment #4
aron novakThis version has the proposed way of the logic, it still needs testing and finalization.
Comment #5
aron novakNow the patch can be used to maintain configuration overrides, it started to work, however the patch still needs some work before it's ready for review.
Comment #6
aron novakNow it has a bit better CRUD for the overrides itself.
Comment #7
aron novakThe form CRUD is not perfect, but now it has flexible pattern handling.
Comment #8
dagmarThis textfield is too short for production purposes. What about change this into a textarea?
Comment #9
aron novak@dagmar : Good point, the patch generally needs work, indeed the UX would be much better with a textarea, ofter we need several paths listed for the same set of configuration.
Comment #10
mxr576Any update on this? It seems we can either use add CSP - which is a generic security requirement nowadays - or use Ckeditor.
Comment #11
mxr576It looks like the problem with CSP is not just about Ckeditor and Views UI.
Comment #12
gappleThe Content-Security-Policy module (https://www.drupal.org/project/csp) has the ability to apply policy alterations per-request via an event subscriber, and includes handlers to apply
'unsafe-inline'as needed when individual core libraries (ckeditor, ajax) are added to the page.Comment #13
lunk rat commented#12 sounds nice, but the CSP module is not available for D7.
A feature in SecKit to allow override of CSP per-path (or even better would be conditionally when certain libraries are loaded) would still be a welcome feature on SecKit, especially if it gets backported to D7.
Comment #14
queenvictoria commentedFYI There is now a D8/9 version of the CSP module.
https://www.drupal.org/project/csp