unocha / ocha_security
Installs: 254
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 4
Forks: 0
Open Issues: 0
Type:drupal-module
Requires
- composer/installers: ^1.2
Requires (Dev)
- drupal/coder: ^8.3
- sebastian/phpcpd: ^6.0
This package is auto-updated.
Last update: 2024-11-29 06:36:04 UTC
README
This is primarily a helper for the seckit module. More security-related fixes that apply to all sites would be welcome.
CSP rules are a bit confusing. Add to or improve these notes if they make it more so.
Seckit module helper.
Prepares hashes, or a nonce for logged-in users, to allow CSP protection for scripts. Requires the seckit module, with this patch. (Note, the patch might soon be replaced, check status on the ticket).
This is necessary to avoid rules allowing the use of 'eval' or 'unsafe-inline', for 'script-src' which undermine the point of using the seckit module.
Note that it is recommended to use 'unsafe-inline' if a nonce or a hash is included, as this will work with CSP level 1 browsers but will be ignored by CSP level 2 browsers. Not the best reference
For logged-in users, where the page is not cached, a nonce (Number used ONCE) must be generated for each request, but can be used for all of the scripts.
For anonymous users, where the page is cached, a hash must be created for each separate script. Inline scripts use a hash of the script itself, attached files use a hash of the filename. These can be re-used across requests.
This adds hashes or a nonce to script elements, assets and attachments, and the same to the CSP directives.
Notes
@todo Find a resource to explain what Drupal means by 'element', 'asset' and 'attachment'.
Adds nonce to/ creates hash for scripts as:
Elements (via pre-render hook)
src/Element/OchaSecurityHtmlPreRender.php
Assets
src/Asset/OchaSecurityAssetResolver.php
Attachments
ocha_security_page_attachments_alter()
Also ensures the sameSite=Lax header for cookies, though this is now default
behavior in modern browsers
src/Session/OchaSecuritySessionConfiguration.php
Hashes and nonces require extra work - they "are only intended for cases where removing inline scripts is not an option" (source). We might consider using only hashes and caching them.
'strict-dynamic' overrides any allowed domains in the seckit configuration, but only for browsers which implement CSP-v3. So a nonce or hash is necessary for all scripts.