drupal-starter icon indicating copy to clipboard operation
drupal-starter copied to clipboard

Add seckit and HSTS [3h]

Open amitaibu opened this issue 2 years ago • 5 comments

@mariano-dagostino I believe you've implemented it on other projects. Do you see any downside in including it by default with Drupal-stater?

amitaibu avatar Aug 11 '22 07:08 amitaibu

@amitaibu The only issue I see is you need to be aware of seckit blocking remote URL calls by your js code. Therefore if you have some elm or js app that do a get requests to an external api, you need to whitelist it in the seckit config.

This also applies for iframe content, so google maps, youtube embeds, etc need to be whitelisted as well.

mariano-dagostino avatar Aug 11 '22 11:08 mariano-dagostino

you need to whitelist it in the seckit config.

Let's add that to the README.

so google maps, youtube embeds, etc

Good point. Let's add to the README, but also let's whitelist those services (Youtube, Maps, Google Analytics, come to mind)

amitaibu avatar Aug 11 '22 12:08 amitaibu

@amitaibu I've been checking this today, it seems there is a big catch. If you use Ckeditor you need to enabled script-src: 'unsafe-inline` which is not a good practice.

I've been doing some research and there is an alternative module to seckit called CSP I've never used it, but it seems it adds this unsafe-inline option conditionally when CKeditor is in place.

Anyways now rethinking my answer I think Seckit is not a good candidate for drupal starter. So either we try CSP, or close this issue.

1h

mariano-dagostino avatar Aug 12 '22 20:08 mariano-dagostino

Seckit seems to be more popular and has more options to harden the site. Can you give it ~2h to see what would be a possible path for it and CKeditor.

amitaibu avatar Aug 13 '22 18:08 amitaibu

@amitaibu We may have more luck with CKEditor 5 (now included in core) https://ckeditor.com/docs/ckeditor5/latest/installation/advanced/csp.html

Screenshot_2022-10-24_10-49-04

I don't know if CKEditor for core is already doing this. I checked the issue queue and haven't found anything related to this topic. Anyways seems the most promising path of action.

  • Check if CKEditor 5 is already using external CSS files.
  • Configure Seckit accordingly.
  • If CKeditor is not using external CSS files, open a drupal issue to request this change.

+0.5h

mariano-dagostino avatar Oct 24 '22 13:10 mariano-dagostino

@mariano-dagostino let's revive this when you have time.

amitaibu avatar Apr 17 '23 11:04 amitaibu

@amitaibu It seems Ckeditor 5 works fine with seckit. I'm not 100% sure if the functionality remains the same between upgrades, but so far the editor works and no error is triggered in the console.

2023-05-26_17-25_1

2023-05-26_17-25

+1.5

mariano-dagostino avatar May 26 '23 20:05 mariano-dagostino

The latest merged PR #512 just got deployed successfully to Pantheon qa environment

GizraNotifier avatar Jun 01 '23 04:06 GizraNotifier