fix: split large Content-Security-Policy headers over multiple HTTP headers#60337
Open
n-iv wants to merge 3 commits into
Open
fix: split large Content-Security-Policy headers over multiple HTTP headers#60337n-iv wants to merge 3 commits into
n-iv wants to merge 3 commits into
Conversation
…eaders When the Content-Security-Policy header exceeds 7800 bytes (which happens with federation across ~20+ trusted servers), split it into multiple header() calls. Apache mod_proxy_fcgi otherwise fails with AH01070 because HUGE_STRING_LEN is hardcoded at 8192 bytes. Per CSP Level 3 §3.1, multiple CSP headers are enforced as the intersection of policies, so client behavior is unchanged. Signed-off-by: Nicolas Varlot <nicolas.varlot@ac-versailles.fr>
n-iv
requested review from
ArtificialOwl,
icewind1991,
leftybournes and
provokateurin
and removed request for
a team
There was a problem hiding this comment.
Pull request overview
This PR addresses Apache mod_proxy_fcgi failures caused by oversized Content-Security-Policy response headers by splitting long CSP/Feature-Policy values into multiple header() calls (splitting only between directives) to stay under a safe per-header length threshold.
Changes:
- Add logic in the HTTP output layer to split large
Content-Security-PolicyandFeature-Policyheaders into multiple header lines. - Keep splitting boundaries at directive separators (
;) to avoid splitting inside directives.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Nicolas Varlot <nicolas.varlot@ac-versailles.fr>
Added comments to explain the hardcoded value Signed-off-by: Nicolas Varlot <nicolas.varlot@ac-versailles.fr>
Contributor
|
cc @skjnldsv could be related to nextcloud/documentation#13803 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When the
Content-Security-Policyheader exceeds 7800 bytes, split it into multipleheader()calls. Apachemod_proxy_fcgiotherwise fails withAH01070 Error parsing script headersand returns HTTP 500 becauseHUGE_STRING_LENis hardcoded at 8192 bytes inhttpd.hand is used to parse FCGI response headers. Raising this limit by recompiling Apache does not fix the issue (other related FCGI buffer limits sit at the same value).The split is performed only between directives, never inside one. Per CSP Level 3 §3.1, multiple CSP headers are enforced as the intersection of the conveyed policies, so behavior is unchanged for compliant clients.
Checklist
3. to review, feature component)stable32)AI (if applicable)