Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
- Log in or register to create an issue
- Advanced search
Title | Status | Priority | Category | Version | Component | Replies | Last updated | Assigned to | Created |
---|---|---|---|---|---|---|---|---|---|
Store each CSP rule on a seperate line in config | Active | Normal | Feature request | 2.x-dev | Code | 1 | 1 day 12 hours | 1 day 12 hours | |
CSP: Directive script-src-elem violated with googletagmanager | Reviewed & tested by the community | Normal | Support request | 2.x-dev | Code | 15 | 6 days 5 hours | 3 years 5 days | |
Support flood control for CSP violation reports | Needs work | Major | Task | 8.x-1.x-dev | Code | 63 | 1 week 19 hours | kmoll | 8 years 3 weeks |
Permissions Policy Support | Needs work | Normal | Feature request | 2.x-dev | Miscellaneous | 10 | 1 week 3 days | 3 years 2 months | |
Provide hook_seckit_options_alter() D8 | Reviewed & tested by the community | Major | Feature request | 2.x-dev | Code | 20 | 1 week 3 days | 7 years 3 months | |
Avoid using document.write('<!--'); | Needs review | Normal | Task | 2.x-dev | Code | 25 | 2 weeks 1 day | 3 years 3 months | |
Add worker-src | Active | Normal | Feature request | 2.0.1 | Code | 2 | 3 weeks 1 day | 3 weeks 1 day | |
Automated Drupal 11 compatibility fixes for seckit | Needs review | Normal | Task | 2.0.1 | Code | 3 | 3 weeks 3 days | 3 weeks 3 days | |
Question about HSTS max-age | Active | Normal | Support request | 2.0.1 | Miscellaneous | 1 | 4 weeks 3 hours | 4 weeks 3 hours | |
t() calls should be avoided in classes. | Needs review | Normal | Task | 2.0.1 | Code | 2 | 1 month 1 week | 1 month 1 week | |
Store CSP sources as a list of values on multiple lines to increase manageability and prevent merge conflicts | Needs review | Normal | Feature request | 2.x-dev | Code | 11 | 1 month 1 week | 6 months 4 days | |
\Drupal calls should be avoided in classes, use dependency injection instead | Needs review | Normal | Task | 2.0.1 | Code | 2 | 1 month 1 week | 1 month 1 week | |
Breaks sitemap.xml when JS +CSS + Noscript protection is enabled | Needs review | Normal | Bug report | 2.0.0 | Code | 6 | 1 month 1 week | 2 years 10 months | |
Add phpcs and drupal-check fixes | Needs review | Normal | Task | 2.x-dev | Code | 32 | 1 month 1 week | 2 years 1 month | |
Change Feature Policy to Permissions Policy (D8/D9) | Needs work | Normal | Feature request | 2.x-dev | Code | 26 | 2 months 2 days | 3 years 4 months | |
Add Gitlab CI | Needs work | Normal | Task | 2.x-dev | Code | 4 | 2 months 4 days | 2 months 1 week | |
Misleading recommendation for CSP directive "frame-src" | Reviewed & tested by the community | Normal | Task | 7.x-1.x-dev | Documentation | 4 | 2 months 1 week | 1 year 6 hours | |
Fix D7 Forms API syntax | Reviewed & tested by the community | Normal | Bug report | 7.x-1.x-dev | Code | 4 | 2 months 1 week | 8 months 4 weeks | |
Google URL's are blocked. | Active | Major | Support request | 2.0.1 | Miscellaneous | 1 | 2 months 2 weeks | 2 months 2 weeks | |
Add support for setting referer policy from route in issue #3027122 | Needs work | Normal | Feature request | 2.x-dev | Code | 3 | 2 months 3 weeks | gordon | 2 years 8 months |
Lottie files / base64 encoding | Active | Normal | Support request | 7.x-1.11 | Miscellaneous | 2 | 3 months 1 day | 1 year 1 month | |
Clickjacking CSS protection hides content when site is embed inside an iframe, even if frame-ancestors is set | Needs review | Normal | Bug report | 2.0.1 | Code | 4 | 3 months 3 days | 3 months 5 days | |
Add form-action directive | Needs review | Normal | Feature request | 2.0.0 | Code | 18 | 3 months 1 week | 2 years 10 months | |
Uncaught DOMException: Permission denied to access property "hostname" on cross-origin object | Active | Critical | Support request | 2.0.1 | Code | 5 | 4 months 5 days | 5 months 1 week | |
Add a reference to csp_log in documentation | Active | Minor | Task | 2.0.1 | Documentation | 1 | 4 months 2 weeks | 4 months 2 weeks | |
Drupal calls should be avoided in classes, use dependency injection instead | Needs review | Normal | Task | 2.0.0 | Code | 5 | 5 months 1 week | 5 months 2 weeks | |
How to set httpOnly flag on cookies? | Needs review | Normal | Support request | 2.0.1 | Documentation | 5 | 5 months 2 weeks | 5 months 2 weeks | |
Drupal 9.1 Deprecated Code Report | Needs review | Normal | Task | 2.x-dev | Code | 16 | 8 months 3 weeks | sourabhjain | 3 years 3 months |
default-src has wrong description | Needs work | Major | Bug report | 2.x-dev | Documentation | 14 | 8 months 3 weeks | 3 years 2 months | |
report-uri is deprecated | Active | Normal | Bug report | 2.0.1 | Code | 3 | 8 months 3 weeks | 12 months 7 hours | |
Implement a "semi automatic" Nonce settings | Needs work | Normal | Feature request | 2.0.0 | Miscellaneous | 19 | 8 months 3 weeks | 2 years 6 months | |
The base-uri policy is missing | Needs review | Normal | Bug report | 2.x-dev | Code | 35 | 8 months 4 weeks | 4 years 4 months | |
Add support for form-action CSP directive | Active | Normal | Feature request | 7.x-1.x-dev | Code | 3 | 8 months 4 weeks | 6 years 3 months | |
"Directive style-src-elem violated." | Needs review | Normal | Feature request | 7.x-1.x-dev | Code | 16 | 8 months 4 weeks | 3 years 7 months | |
Add worker-src | Needs review | Normal | Feature request | 7.x-1.x-dev | Code | 11 | 8 months 4 weeks | 1 year 8 months | |
Remove type="text/javascript" from <script> tag | Needs review | Normal | Task | 2.0.1 | Code | 6 | 10 months 3 hours | 10 months 1 day | |
Deprecated Feature Used Expect-CT header | Needs review | Normal | Bug report | 2.x-dev | Code | 3 | 10 months 3 weeks | 1 year 5 months | |
Update CSP directives | Needs review | Normal | Feature request | 2.0.1 | Code | 6 | 11 months 3 weeks | 6 years 6 months | |
Extend length of src fields | Needs review | Major | Feature request | 2.0.0 | Code | 6 | 11 months 4 weeks | 3 years 2 weeks | |
Add manifest-src | Active | Normal | Feature request | 2.0.0 | Code | 2 | 1 year 1 day | 3 years 2 weeks | |
Add 'Disable Security Kit' option back | Active | Normal | Feature request | 2.x-dev | User interface | 1 | 1 year 2 days | 1 year 2 days | |
Strict-Transport-Security is not changing | Active | Major | Bug report | 2.0.1 | Code | 1 | 1 year 2 days | 1 year 2 days | |
ALLOW-FROM directive in x-frame-options is obsolete | Active | Normal | Bug report | 2.0.0 | Code | 3 | 1 year 2 weeks | 1 year 5 months | |
Offering to maintain Security Kit | Active | Normal | Support request | 2.x-dev | Miscellaneous | 10 | 1 year 1 month | 1 year 4 months | |
Enabling "Enable JavaScript + CSS + Noscript protection" causes invalid HTML | Needs work | Normal | Bug report | 2.x-dev | Code | 22 | 1 year 1 month | 4 years 9 months | |
Deprecate / Remove Content Security Policy configuration in favour of Content Security Policy module | Active | Normal | Plan | 8.x-1.x-dev | Code | 4 | 1 year 2 months | 5 years 10 months | |
Reverse proxies and load balancers can add security headers too. Document that fact in the UI. | Active | Normal | Task | 2.x-dev | User interface | 2 | 1 year 3 months | 1 year 3 months | |
How to add all google tlds for CSP | Active | Normal | Support request | 2.0.0 | User interface | 8 | 1 year 4 months | 1 year 10 months | |
CSP policy-uri field does nothing | Active | Normal | Bug report | 2.x-dev | Code | 3 | 1 year 7 months | 1 year 7 months | |
Problems with redirect www to non-www | Active | Normal | Bug report | 2.0.0 | Code | 1 | 1 year 7 months | 1 year 7 months |