[#37940] - [4.2] Improve nonce and strict-dynamic handling within the http header plugin
- Fixed in Code Base
- 18 Jun 2022
- Medium
- Build: 4.1-dev
- # 37940
- Diff
- zero-24:strictdynamic
User tests: Successful: Unsuccessful:
Pull Request for Issue #37461
Summary of Changes
Improve nonce and strict-dynamic handling within the http header plugin:
- once the nonce setting is enabled always add the nonce to the header and dont require an specific tag + bc handling.
- make sure strict-dynamic is the first setting set in the header.
Testing Instructions
First test
- Enable the nonce setting within the plugin
- check the http header
- confirm that the nonce is not added to the header
- add
{nonce}to script-src - confirm that the nonce is now at the header
- apply the patch
- confirm the nonce is still at the header
- remove the {nonce} tag
- confirm the nonce is still at the header
Seccond test
- Enable the strict-dynamic setting
- set some own script-src settings and end that line with ";"
- confirm that the strict dynamic setting is than showed outside of the script-src
- apply this patch
- confirm that this issue is resolved
Actual result BEFORE applying this Pull Request
- Nonce only added to the header once the {nonce} tag is aviable
- In some cases the strict-dynamic setting is generated outside of the script-src
Expected result AFTER applying this Pull Request
- Nonce is added to the header once the setting is enabled
- The {nonce} tag will still be removed to keep B/C
- The strict-dynamic option is now always at the first option once enabled
Documentation Changes Required
n.a. (as the {nonce} was never documented)
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Front End Plugins |
With strict dynamic enabled, I get strict dynamic inside the script-src directive and outside the script-src directive. With strict-dynamic disabled, I get no strict-dynamic inside and outside the script-src directive.
@gopitzohlsen Does that mean you have successfully tested this pull request? If so, could you go to the issue tracker here https://issues.joomla.org/tracker/joomla-cms/37940 and use the blue "Test this" button at the top left corner? Just use the button, then select your test result and then submit. Thanks in advance.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37940.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37940.
But I think this change should go into 4.2.
| Status | Pending | ⇒ | Ready to Commit |
| Labels |
Added:
?
|
||
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37940.
Yes agree, thanks for this changes, but I will rebase to 4.2.
| Labels |
Added:
?
|
||
| Title |
|
||||||
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-06-18 13:57:08 |
| Closed_By | ⇒ | roland-d | |
| Labels |
Added:
?
Removed: ? |
||
Thanks everybody
With strict dynamic enabled, I get strict dynamic inside the script-src directive and outside the script-src directive.
With strict-dynamic disabled, I get no strict-dynamic inside and outside the script-src directive.