Skip to content
Snippets Groups Projects

Draft: Replace X-Frame-Ancestors with Content-Security-Policy

Open Draft: Replace X-Frame-Ancestors with Content-Security-Policy
issue/drupal-2513356:2513356-csp-in-core into 11.x
3 unresolved threads
Open Geoff Appleby requested to merge issue/drupal-2513356:2513356-csp-in-core into 11.x
3 unresolved threads

Closes #2513356

Merge request reports

Members who can merge are allowed to add commits.

Merge request pipeline #275408 passed

Stage: 🪄 Lint
Stage: 🗜️ Test
Pipeline: drupal-2513356

#275409

    Merge request pipeline passed for 660d0624

    Approval is optional
    Code Quality is loading
    Test summary results are being parsed
    Full report
    Merge blocked: 1 check failed

    Merge details

    • The source branch is 1118 commits behind the target branch.
    • 1 commit will be added to 11.x.
    • Source branch will not be deleted.

    Activity

    Filter activity
    • Approvals
    • Assignees & reviewers
    • Comments (from bots)
    • Comments (from users)
    • Commits & branches
    • Edits
    • Labels
    • Lock status
    • Mentions
    • Merge request status
    • Tracking
  • Stephen Mustgrave
  • Stephen Mustgrave
    Stephen Mustgrave @smustgrave started a thread on an old version of the diff
    • core/tests/Drupal/Tests/Core/EventSubscriber/FinishResponseSubscriberTest.php
    167
    168 $request = $this->createMock(Request::class);
    169 $response = $this->createMock(Response::class);
    170 $response->headers = new ResponseHeaderBag();
    171 $event = new ResponseEvent($this->kernel, $request, HttpKernelInterface::MAIN_REQUEST, $response);
    172
    173 $finishSubscriber->onRespond($event);
    174
    175 $this->assertEquals(["default-src 'self'"], $response->headers->all('Content-Security-Policy-Report-Only'));
    176 $this->assertEquals(["script-src * 'unsafe-inline'"], $response->headers->all('Content-Security-Policy'));
    177 }
    178
    179 /**
    180 * Data Provider for testing conversion of X-Frame-Options to CSP header.
    181 *
    182 * @todo Remove in Drupal 11.0.0. See https://www.drupal.org/project/drupal/issues/2513356
  • Stephen Mustgrave
  • Stephen Mustgrave
    Stephen Mustgrave @smustgrave started a thread on an old version of the diff
    • core/tests/Drupal/Tests/Core/EventSubscriber/FinishResponseSubscriberTest.php
    195 ],
    196 'deny' => [
    197 'DENY',
    198 "script-src * 'unsafe-inline'; object-src 'none'; frame-ancestors 'none'",
    199 ],
    200 'domain' => [
    201 'ALLOW-FROM https://example.com',
    202 "script-src * 'unsafe-inline'; object-src 'none'; frame-ancestors https://example.com",
    203 ],
    204 ];
    205 }
    206
    207 /**
    208 * X-Frame-Options should be converted to a CSP header.
    209 *
    210 * @todo Remove in Drupal 11.0.0. See https://www.drupal.org/project/drupal/issues/2513356
  • Stephen Mustgrave
  • Stephen Mustgrave
    Stephen Mustgrave @smustgrave started a thread on the diff
    • core/core.services.yml
    37 37 debug: false
    38 38 factory.keyvalue:
    39 39 default: keyvalue.database
    40 http.response.content_security_policy:
  • Geoff Appleby added 1 commit

    added 1 commit

    Compare with previous version

  • Geoff Appleby added 456 commits

    added 456 commits

    Compare with previous version

  • Geoff Appleby added 1 commit

    added 1 commit

    • 660d0624 - Update deprecation and todo links

    Compare with previous version

    • Please register or sign in to reply