定制 wieni/wmcontent_security_policy 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

wieni/wmcontent_security_policy

Composer 安装命令:

composer require wieni/wmcontent_security_policy

包简介

Secure your Drupal site using a Content Security Policy header

README 文档

README

Latest Stable Version Total Downloads License

Secure your site using a Content Security Policy header

Why?

  • Content Security Policy adds a security layer to detect and mitigate the risk of Cross Site Scripting (XSS), data injection, and other vulnerabilities.
  • The csp Drupal module is more feature-complete, but ours has a simpler interface and doesn't allow inline scripts on pages using Drupal AJAX.

Installation

This package requires PHP 7.2 and Drupal 8 or higher. It can be installed using Composer:

 composer require wieni/wmcontent_security_policy drupal/multivalue_form_element:dev-3199142-drupal-9-compatibility"

Patches

For this module to work, it is necessary to patch Drupal core and the Multi-value form element module. If you manage your installation with Composer, you should use the cweagans/composer-patches package to manage and automatically apply patches. If not, please check the documentation for instructions on how to manually apply patches.

If the patches below don't apply to your package versions, you should visit the relevant issues and find older or newer patches.

// composer.json
{
    "extra": {
        "composer-exit-on-patch-failure": true,
        "patches": {
            "drupal/core": {
              "#2264739: Allow multiple field widgets to not use tabledrag": "https://www.drupal.org/files/issues/2021-01-23/2264739-105.patch"
            },
            "drupal/multivalue_form_element": {
              "#3199172 Handle default values of nested elements": "https://git.drupalcode.org/project/multivalue_form_element/-/merge_requests/2.patch",
              "#3199298 Don't add an empty element when the multivalue element is disabled": "https://git.drupalcode.org/project/multivalue_form_element/-/merge_requests/3.patch",
              "#3200306 Add support for non-orderable multivalue form elements": "https://git.drupalcode.org/project/multivalue_form_element/-/commit/ef4d01ae56a809fc2349d8fec8185ace3b63d15d.patch"
            }
        }
    }
}

How does it work?

Managing default sources

Using the form at /admin/config/system/content-security-policy/default-sources, you can set default sources for the different policy directives. These sources should be required for the website to function properly.

Sources you add there are stored in configuration, so you can export them and add them to version control.

To manage these sources, you need the administer default content security policy sources permission.

Managing custom sources

Using the form at /admin/config/system/content-security-policy/custom-sources, you can add custom sources to the different policy directives.

Sources you add here are stored in the database and will not be exported with configuration. This is useful to allow content editors to add sources required for certain site content.

To manage these sources, you need the administer custom content security policy sources permission.

Adding script hashes

If you want to include certain inline scripts (eg. a Google Analytics snippet) without allowing script-src: 'unsafe-inline', you can add the hashes of these scripts to your script-src policy (more information here).

You can add script hashes in Twig by using the addCspHash function:

{{ addCspHash("'sha256-n4MwUTyKKCBlMIFkvcS3dkmlRFEcqSm/V0IOhZelzA0='") }}

You can add script hashes in code by using wmcontent_security_policy.content_security_policy:addScriptHash:

\Drupal::service('wmcontent_security_policy.content_security_policy')
    ->addScriptHash("'sha256-n4MwUTyKKCBlMIFkvcS3dkmlRFEcqSm/V0IOhZelzA0='");

Finally, it's also possible to add script hashes like any other source through the administration forms.

Events

One event is provided, which allows you to dynamically add sources right before the header is built.

<?php

use Drupal\wmcontent_security_policy\ContentSecurityPolicyEvents;
use Drupal\wmcontent_security_policy\Event\SourcesAlterEvent;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;

class ContentSecurityPolicySourcesSubscriber implements EventSubscriberInterface
{
    public static function getSubscribedEvents(): array
    {
        $events[ContentSecurityPolicyEvents::SOURCES_ALTER][] = ['onSourcesAlter'];

        return $events;
    }

    public function onSourcesAlter(SourcesAlterEvent $event): void
    {
        if (!empty($_ENV['S3_CNAME'])) {
            $event->addSource('script-src', $_ENV['S3_CNAME']);
            $event->addSource('connect-src', $_ENV['S3_CNAME']);
            $event->addSource('style-src', $_ENV['S3_CNAME']);
        }
    }
}

Changelog

All notable changes to this project will be documented in the CHANGELOG file.

Security

If you discover any security-related issues, please email security@wieni.be instead of using the issue tracker.

License

Distributed under the MIT License. See the LICENSE file for more information.

wieni/wmcontent_security_policy 适用场景与选型建议

wieni/wmcontent_security_policy 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 2.96k 次下载、GitHub Stars 达 0, 最近一次更新时间为 2021 年 02 月 18 日, 在 PHP 生态内属于活跃度较高的组件。

我们在过去多个企业项目中使用过 wieni/wmcontent_security_policy 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 wieni/wmcontent_security_policy 我们能提供哪些服务?
定制开发 / 二次开发

基于 wieni/wmcontent_security_policy 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 2.96k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 13
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 3
  • Forks: 1
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2021-02-18