[#33550] - [4.0] Remove com_csp and move the CSP configuration to the HttpHeaders plugin
- Fixed in Code Base
- 7 May 2021
- Medium
- Build: 4.0-dev
- # 33550
- Diff
- zero-24:remove_csp
User tests: Successful: Unsuccessful:
Summary of Changes
After discussions within Production it has been decided today (official note will be included in the upcomming meeting minutes) to drop com_csp from Joomla 4.0 and move the "manuall" CSP settings back to the Plugin. While it could be re-implemented in a future version.
This PR now does that by removing the backend and frontend code of com_csp as well as install and update sql logic stuff.
With that removal the collection and autogeneration of CSP rules will be gone from Joomla 4.0 but the Plugin will still allow to setup the CSP rules.
Testing Instructions
Test Case #1
- Install the build (https://ci.joomla.org/artifacts/joomla/joomla-cms/4.0-dev/33550/downloads/43088/Joomla_4.0.0-beta8-dev+pr.33550-Development-Full_Package.zip)
- Make sure there is no com_csp any more.
- Confirm that the Plugin System HttpHeaders now includes also the CSP settings.
Test Case #2
- Install a 4.0.0beta7
- confirm that com_csp is there
- set the update server to (https://ci.joomla.org/artifacts/joomla/joomla-cms/4.0-dev/33550/downloads/43088/pr_list.xml)
- Update to the new build thats provided
- Confirm that com_csp is gone
- Confirm that the plugin has the new options
Actual result BEFORE applying this Pull Request
com_csp is there
Expected result AFTER applying this Pull Request
com_csp is gone
Documentation Changes Required
- The docs pages for the component and the options page needs to be removed
- The existing doc page needs to be adjusted and updated with the changes done here.
B/C implications
With the removal of com_csp the auto generated csp rules are gone and they will not be migrated, please extract them before you install the update that drops this feature and set it as Forced HTTP Header or via the new setting implmented here.
Personal note
I would like to thank all the people that helped to get to this feature to this place specificly @yvesh and @SniperSister who worked together with me to bring that idea to live. As well as all the other people who put work and effort into extending and improving the current implementation until now. I personally still think this is an important feature to the CMS but I will follow the decision taken by Production.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Repository Administration com_admin SQL Postgresql com_csp com_menus Language & Strings |
| Title |
|
||||||
| Labels |
Added:
?
?
?
?
|
||
| Labels |
Added:
?
Removed: ? |
||
The removal of the files vis the script.php should be part of the build script and is not added here in for that reason.
If so, it has to be done also before the next J4 release (Beta or RC, whatever it will be ;-) ).
In order not to miss that I'd prefer it to be done with this PR, since the files and folder removal in script.php has just recently been updated after the upmerge so it is ready for release, except of changes due to this PR here. Or @wilsonge gives me enough time to do it after the merge of this PR and before the release, so I can do it using the script.
100% agree with @richard67
Please remove
Install the build (https://ci.joomla.org/artifacts/joomla/joomla-cms/4.0-dev/33550/downloads/43088/Joomla_4.0.0-beta8-dev+pr.33550-Development-Full_Package.zip)
Not Found
The requested URL was not found on this server.
@sandewt The links might be outdated due to new commits to this PR. You can find the right links when going down to the bottom, using the "Show all checks" to expand the CI checks, then follow the "Details" link at the right side of the "Downloads" step. There you can find the link to the full installation package for the 1st test and the link to a custom update URL which you can use for the 2nd test.
@sandewt Please wait a bit with testing, the PR will receive an update soon, and then new packages will be built again.
@sanderpotjer Sorry, ignore the notification, I mentioned you by accident.
@sandewt The links might be outdated due to new co...
Thanks @richard67, I found the package(s).
Following question, how to install 4.0.0beta7 ?
| Labels |
Added:
?
Removed: ? |
||
Following question, how to install 4.0.0beta7 ?
https://github.com/joomla/joomla-cms/releases/tag/4.0.0-beta7
I have tested this item
Test Case #1 is OK
Test Case #2 is OK
Didn't look / did nothing with the B/C implications !?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33550.
| Labels |
Added:
?
Removed: ? |
||
| Labels |
Added:
?
Removed: ? |
||
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33550.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33550.
rdeutz
- | Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-05-07 07:05:34 |
| Closed_By | ⇒ | rdeutz | |
| Labels |
Added:
?
?
Removed: ? |
||
Thanks for testing and merging here.
Silly me: When reviewing especially the SQL parts of this PR, I have not noticed that the "#__csp" table hasn't been removed from the "supports.sql" files so it is still created on new installations. Am just preparing the PR to fix that.
The http headers docs page has been updated and com_csp mention has been removed and the help pages have just been requested to be removed from the docs page too.
Just out of interest and since the meeting minutes are not linked: What was the reason for the decision to remove the component?
When this is removed the helpTOC script will need to be rerun