Problem/Motivation

It's perfectly valid to remove an entity type from code and you can still remove it from the stored definitions, as was solved here: #2655162: Fatal error when updating or deleting an entity type after removing its class/definition from the codebase

However, if there is any entity reference field that still pointed to the old entity type, you cannot use update.php to fix those fields because the site will crash before you get the chance to run your updates. The Drush command updb works fine.

This is because update.php has to render things, whereas Drush does not, and therefore calls hook_theme() on all modules. When it gets to views_theme(), all Views plugins are loaded, which in turn cascades through views_views_data(), core_field_views_data and eventually winds up in EntityReferenceItem::schema() where the following exception is thrown:

Field '%s' on entity type '%s' references a target entity type '%s' which does not exist.

Steps to reproduce

1. Create a field on a node that points to a custom entity type
2. Remove said entity type from code
3. Visit update.php

Proposed resolution

Some suggestions:

• Limit the hook_theme invocations when using the UpdateKernel to just the bare minimum: system and the active theme for update.php
• Put the views_theme hook behind a flag which is turned off for UpdateKernel as Views is the root cause here (and in some other issues too)
• Use an alternate render strategy for update.php
• ...

Remaining tasks

Figure out a proper solution

User interface changes

N/A

API changes

Maybe some, depending on solution chosen.

Data model changes

N/A

Release notes snippet

N/A

Problem/Motivation

User themes can have something like font-size: 1vw; (just for instance) set on html tag, to have proportional scaling of all UI elements no matter which resolution of the screen.

Almost all sizes of everything related to Navigation module are based on --admin-toolbar-rem CSS variable, which is doing its job great. However we still have few UI elements with the px sizes set, or some where don't have sizes set at all (for instance logotype)

Steps to reproduce

1. Standard profile installation
2. Enable Navigation module
3. Then on any page try to zoom out or zoom in
4. Then add for instance font-size: 1vw; to the html tag and try to zoom out or zoom it again

I found 3 UI elements (could be more, but seems only 3, at least i didn't find anything else) where we have to set or replace sizes in rems:
1. Logotype
2. Dividing line between sections in navigation bar
3. Outlines/borders, hovers and focuses (to be checked for all interactive elements which does have these states with outlines)

Proposed resolution

1. Convert existing hardcoded px values into rems (using --admin-toolbar-rem css variable)
2. For the elements like logotype - add sizes

I'm proposing using javascript events instead of Drupal.behaviors.

Problems

• It's a big Drupalism
• Drupal.behaviors makes monkey-patching a recommended way to change an init function.
• It's not flexible enough, contrib will build things that way and it ends up a terrible mess (see openlayers init function for an example). Using events would have helped dev to do the right thing.

Details

• The context variable already exists in event.target. Nothing special to be done here.
• It's possible to leverage custom events or to namespace events to allow scripts to bind a listener to the specific event it needs to react to.
• We can pass additional data to the event callback, to add the settings and trigger values we have right now with behaviors.

Benefits

• Remove a drupalism and help JS dev get into Drupal JS.
• Much more flexible.
• Loosely coupling is a better way to deal with this.

Also if we're considering the AMD proposal #1542344: Use AMD for JS architecture, there won't be a need to "weight" the behaviors or to play with the weight option of drupal_add_js to have them run at the proper time. AMD takes care of dependencies and making sure are executed in the right order.

Problem/Motivation

Hi all,

I have a Drupal site with translations (english, german, italian and french) enabled and some translated contents. I have english configured for the backend and for the admin account.

The situation is:
I'm on the content list and the language is english. Then I edit the german translation of a page. The URL changes to "/de/node/1/edit?destination=/en/admin/content"
If I save the changes, then I’m redirected to /en/admin/content, but if I don't save the changes, but I click again on Content (or anywhere else) and then the URL remains in german, also /de/admin/content. The texts are still displayed in english because the language of the admin user is set in the profile to "english".

Until now I didn't realize this behavior, but in the current project a PM saw it and said that it should never happen. Also, he thinks the URL should change to /en/admin/content event if don’t save the changes.

I'm now a bit confused.
On the one hand I think it's a normal behavior because you started the edition of a translation (german) and never finished it, because you have never saved or canceled the changes, but just clicked in another part of the site.
But on the other hand I only edited a translation and then I came back to a page wich is not in edit mode and the URL should recover the original language I was using.

Have some of you realized this behavior too?
In that case, do you think it's a normal behavior or is it something that needs to be fixed?

Thanks in advance for your answers.

Steps to reproduce

You should have a Drupal with more than one language enabled. Let's say: english and spanish.

1. Create a new node
2. Add a spanish translation for that node.
3. Visit the original node you created.
4. Edit the translation you added in the step 2. The URL looks like /es/node/1/edit?destination=/en/admin/content
5. Without saving the translation, click anywhere else on the page (i.e Content link in Toolbar).
6. In the URL you can see /es/admin/content

Info: If didn't set the language in the user profile, you'll see the texts translated too, but if you set it, then the text are still displayed in the language you set in the user profile.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Problem/Motivation

Drupal's mime type guesser is not registered with the symfony service. Therefore, if the Symfony guesser is accessed directly (e.g., in a Response object) the Drupal service is not used. In Drupal 8 this was registered but that code was since removed in error, so we are adding it back and completing the registration using current methods.

Steps to reproduce

See failing test in MR. Mime types are not properly guessed from file extensions, e.g. when sending binary files.

Proposed resolution

Register the MIME guesser in the same fashion it was previously.

Remaining tasks

Review

User interface changes

N/A.

API changes

None.

Data model changes

None.

Release notes snippet

N/A.

Problem/Motivation

Finished about two minutes after every other functional test, doesn't use @group #slow yet so let's see if that helps.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Problem/Motivation

When a site uses images from the media library, it takes a long chain of configuration to display images with a given responsive image style. When multiple node types (or other entities /w bundles) with multiple view modes require images with different styles, each variation requires its own chain of configuration.

Data chain: Node > Entity reference field > Image media > Image field
Format chain: Node view mode > Entity reference field formatter > Image media view mode > Image field formatter > Responsive image style

Proposed resolution

Introduce a new field formatter for entity reference fields that reference media entities to shorten the format chain.

New format chain: Node view mode > Responsive media image field formatter > Responsive image style

Remaining tasks

t.b.d.

User interface changes

New formatter for Entity reference fields referring to image media.

Release notes snippet

t.b.d.

Problem/Motivation

Content Security Policy is a browser feature that helps prevent XSS and other attacks by sending a header that informs the browser of trusted sources for page resources.

In modern browsers, it replaces the use of X-Frame-Options with the directive frame-ancestors.

Additional directives such as default-src, script-src, and style-src may be difficult to provide default a value in core such as 'self' because it will block third-party or inline resources that site builders expect to load.

For CSP spec see:
- http://www.w3.org/TR/CSP/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Securi...
- https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

The contrib modules Content-Security-Policy and Security Kit provide a user interface for configuring a site's Content Security Policy headers, but core should provide a reasonable default policy for sites.

The Reporting API contrib module provides a local endpoint for violation reports, and hosted services for monitoring violations are also available.
The potential for abuse of violation reporting (DoS attacks, bogus data, etc) is outlined at https://www.virtuesecurity.com/blog/abusing-csp-violation-reporting/

Proposed resolution

Implement a basic CSP header for Drupal core configurable through a service parameter, which replaces X-Frame-Options: SAMEORIGIN

Content-Security-Policy: frame-ancestors 'self'

For backwards compatibility of sites that have altered X-Frame-Options from the value set by core and not set a Content Security Policy header, translate the value to an equivalent Content-Security-Policy: frame-ancestors value and throw a deprecation warning.

Remaining tasks

• Service parameter name: http.response.content_security_policy (like http.response.debug_cacheability_headers) or csp.config (like cors.config) or ?
• Should a X-Frame-Options header present on a response be removed in 11.x, since browsers will ignore it when CSP is present?
• Decide on additional directives to add by default, such as script-src * 'unsafe-inline'; object-src 'none'
• Create followup to remove compatibility layer in 12.0.0, and set default policy in core.services.yml, and default.services.yml

User interface changes

None

API changes

A new services parameter http.response.content_security_policy has two properties, report_only and enforced, for setting a site's default Content Security Policies.
Modules can modify or replace the default policy headers by implementing a response subscriber.

Draft Change Record

Drupal 11.0 and earlier set a X-Frame-Options: SAMEORIGIN header by default, which can be overridden or removed by other modules.

In Drupal 11.1 and later, this will be replaced with a Content Security Policy header that includes frame-ancestors 'self'. To change the value of the Content Security Policy header, edit the http.response.content_security_policy service parameter.

For backwards compatibility on sites that have customized the X-Frame-Options header, Drupal 11.x will translate it to an equivalent Content-Security-Policy header, unless a customized policy has been defined in the services parameter.
Starting in Drupal 12, any X-Frame-Options header will be ignored, and Content-Security-Policy: frame-ancestors 'self' will be set by default.

Problem/Motivation

When I set a certain block to be cached for up to e.g. 15 minutes, then I expect that the containing page also emits a corresponding header. And I also expect Drupal's page cache to honor this.

Examples:

1. A block with a weather forecast summary. The data constantly changes so e.g. cache for maximum 15 minutes.
2. A View with a date filter relative to current time, such as "Upcoming Events", showing say 3 soonest future events. The block can be cached for maximum until the time/day of first event, then it must be refreshed to exclude the event now in the past.

Proposed resolution

TBD

Workaround

Install contrib module Cache Control Override. However this is not perfect, and if you use it you might hit the exact same problems that are making this issue be postponed (see #113).

1. Other system blocks such as forms, language switcher that are in fact cachable currently may emit max-age = 0 so will prevent caching after CCO is installed.
2. CCO disables dynamic cache as well as static cache.
3. CCO only detects max-age = 0 so it won't work if your block has a small positive max-age.

Also note that in the case of the second example above, Views will not automatically emit the correct max-age based on the presence of a date filter - you need to write a hook to do that.

Remaining tasks

We need to fix these issues first:

• #2888838: Optimize render caching
• #2578855: Form tokens are now rendered lazily, allow forms to opt in to be cacheable
• #2232375: Make language switcher block cacheable
• #2483181: Make book navigation block cacheable
• #2351015: URL generation does not bubble cache contexts: this one is marked as closed but RedirectFormBlock still contains max-age 0.

User interface changes

None.

API changes

None.

Problem/Motivation

I just ran into a case in a redirect contrib module: #3448469: "Delete redirects defined in the spreadsheet" misses to remove leading slash normalization where UrlHelper::parse() is used.

Drupal 8+ expects leading slashes for internal paths, but currently that's not represented or unified in that helper method.

So currently the output for
/node/123
is
/node/123

and for
node/123
is
node/123

and I think it makes sense to discuss if this internal Drupal helper method shouldn't better returned the unified Drupal path/node/123

In this example it leads to two different check sums for the same path in Drupal.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Problem/Motivation

With gitlab ci, overall test runs complete within around 15-18 minutes. However, if one test is individually very slow, this can block the pipeline from completing for sometimes minutes after all other tests have completed. If we can refactor these individual blocking tests, we may be able to get test runs well below 15 minutes. This should also reduce gitlab hosting costs since it will reduce the time that any particular test pod is reserved.

We can also link to gitlab configuration changes from this issue too, but focusing on tests for now since at least a couple will obscure other improvements.

Steps to reproduce

Proposed resolution

Identify bottlenecks in the pipelines and fix them, whether containers, pipeline configuration, or specific long-running tests:

#3387706: Don't make other tests depend on PHPUnit
#3386479: Copy less files around in ComponentsIsolatedBuildTest
#3386458: Add GenericModuleTestBase and use it to test general module things
#3387737: Split PHP image into php(cli/apache) and yarn(node/nightwatch)
#3371963: Update Nightwatch to 3.x
#3387117: Enable distributed caching in GitLab Runner
#3388375: Run nightwatch tests in parallel
#3388365: Distribute @group #slow tests between test runners and mark more tests
#3389281: [meta] Refactor ultra-slow tests

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Issue summary updated as of comment #32

Problem/Motivation

The block module does not make provision for negating the user role visibility condition. That makes it impossible (via the UI) to make a block visible only to authenticated users who do not also have a specified additional role, such as member.

Steps to reproduce

Go to /admin/structure/block/manage/BLOCKNAME and look at the "roles" tab; there is no "negate" option.

Proposed resolution

See patch: enable-block-visibility-user-role-negation-2986958-27.patch

Remaining tasks

Update issue summary
Add change record
Manual testing
Tested with themes

• Bartik
• Bootstrap
• Radix
• Umami

User interface changes

On /admin/structure/block/manage/BLOCKNAME ("roles" tab), add "negate" option.

API changes

None.

Data model changes

None.

Release notes snippet

Add a "negate" option to "roles" tab in block visibility settings.

Problem/Motivation

  plugin.cache_clearer:
    class: Drupal\Core\Plugin\CachedDiscoveryClearer
    lazy: true

However the service is always instantiated and used directly so the lazy proxy is pointless:

\Drupal::service('plugin.cache_clearer')->clearCachedDefinitions();

Even worse, the service is not lazily instantiated anyway:

> $proxy = \Drupal::service('plugin.cache_clearer');
= Drupal\Core\ProxyClass\Plugin\CachedDiscoveryClearer {#8061}

> (new ReflectionProperty($proxy, 'service'))->getValue($proxy);
= Drupal\Core\Plugin\CachedDiscoveryClearer {#8062}

The $service property should not be set until a method is called on the actual service, but the addCachedDiscovery method calls configured in PluginManagerPass trigger the instantiation of the real service as soon as the proxy service is created.

Steps to reproduce

Proposed resolution

Remove the lazy proxy. Use a tagged iterator instead of calls to addCachedDiscovery.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Problem/Motivation

The render array #attached key bubbles up and merges information from elements. The keys are checked against an allowed list in HtmlResponseAttachmentsProcessor, and an exception is thrown for unrecognized values. This prevents other modules from using the render system to add additional properties that bubble up during the rendering process.

https://git.drupalcode.org/project/drupal/-/blob/11.x/core/lib/Drupal/Co...

    // Send a message back if the render array has unsupported #attached types.
    $unsupported_types = array_diff(
      array_keys($attached),
      ['html_head', 'feed', 'html_head_link', 'http_header', 'library', 'html_response_attachment_placeholders', 'placeholders', 'drupalSettings']
    );
    if (!empty($unsupported_types)) {
      throw new \LogicException(sprintf('You are not allowed to use %s in #attached.', implode(', ', $unsupported_types)));
    }

• Big Pipe makes use of #attached by wrapping the core attachments processor, and removing its own properties from the array before passing the rest on to the decorated method. These properties are only added (and then removed) by Big Pipe during the rendering process.
• Content Security Policy allows modules to alter a page's policy, which can currently be done by inspecting the libraries attached to a response. Some content, such as media or an iframe may not have an associated library and so site builders may have to allow a certain resource on all pages of a site instead of for only relevant content. If an element contains content which requires a placeholder for a nonce be replaced, there isn't a direct way to pass that information to the response #3413636: Provides a filter to add nonce attribute to inline scripts.
• Attach Inline allows developers to add inline JS and CSS snippets to a render array element, which are then rendered with the page's libraries in the page header or footer. To allow additional keys for specifying inline JS and CSS, the module replaces the core attachments processor service, which can cause compatibility issues if core's code changes or if another module also needs to replace the service #3096061: [upstream] html_response.attachments_processor service must be replaced instead of decorated. If the attach inline module is uninstalled while a render array still has the additional key, the exception will be thrown.

Proposed resolution

• Allow modules to define additional allowed keys. Use an assertion to check for unrecognized keys so that an exception isn't thrown in a production environment for properties that will just be ignored.
• OR Allow any key

$element['#attached'] = [
  'csp' => [
    'media-src' => ["*"],
    'script-src' => ["'unsafe-inline'"],
  ],
];

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Problem/Motivation

There is an unrelated webform in the footer, that has a submit button with "edit-actions-submit" selector.
And there is a Layout Builder page, where you press on the edit block and can see a form with submit button with the same "edit-actions-submit" selector.

If you submit this edit form, then the page will scroll all the way down to focus on the "edit-actions-submit" of the unrelated webform.

Steps to reproduce

- Enable Layout Builder and Webform modules.
- Create a webform and add it to the footer.
- Allow individual layouts for Page content type.
- Create a node and go to the Layout tab.
- Add a block, then try to edit it.
- When submit button is clicked, it will scroll down to the webform submit button.

Proposed resolution

The ajax.js relies on data-drupal-selector attribute to find the element focus on. Problem is that value of that attribute for form elements is sometimes not unique. It would be better to rely on the "id" attribute.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Problem/Motivation

When adding/editing a block in layout builder, if you resize the browser then the off-canvas sidebar doesn't re-position itself correctly.

Steps to reproduce

1. use Drupal 10.0.9, or 9.5.9
2. enable layout builder and turn it on for a content type
3. create a page using the layout builder content type
4. edit the layout for the page
5. click "Add section"
6. resize the right side of browser

Expected behaviour

The layout builder sidebar should move with the right side of the browser.

Actual behaviour

Sidebar stays in one place, or jumps around.

I think it has something to do with this change: https://git.drupalcode.org/project/drupal/-/commit/e2d11b5fff7ba50dbb18f...

Problem/Motivation

If you happen to have a file ending in component.yml in a directory named components, SDC will assume it is their component.
It's supposed to only find files ending in .component.yml (with that extra dot)

Steps to reproduce

Create a components directory and add a YAML file ending in components.yml but not .components.yml

Proposed resolution

Fix the regex

Remaining tasks

N/A

User interface changes

N/A

API changes

N/A

Data model changes

N/A

Release notes snippet

N/A

Problem/Motivation

Follow-up to #2914484: Prevent the layout field from being removed if overrides exist

When attempting to disable Layout Builder for a display, a confusing "Your settings have been saved" message is shown on the Confirmation form before the submit button has been pressed.

Steps to reproduce

Install a fresh standard site
Enable the LB module
Add Layout Builder to an entity display
Disable Layout Builder on the display
Verify on the confirmation form that a confusing "Your settings have been saved" message is shown. See #10

Proposed resolution

Remove this message from the confirmation form.

Remaining tasks

Track down the cause of this messsage and remove it from the confirmation form.

User interface changes

The message will no longer show on the confirm form when disabling Layout Builder on a display.

Before

After

API changes

N/A

Data model changes

N/A

Problem/Motivation

Ckeditor 5 automatically changes the html structure in Source editing mode

original html:

<div class="__tile-outer">
        <a href="https://www.google.com/">
<div class="__tile-inner">
                <img class="__tile-img-content" src="https://cdn.boatinternational.com/convert/files/2024/05/3a4aa060-1687-11ef-b53e-e5fd81c40b7c-rossinavi-seawolf-x-5.jpg/r%5Bwidth%5D=1920&r%5Bheight%5D=1080/3a4aa060-1687-11ef-b53e-e5fd81c40b7c-rossinavi-seawolf-x-5.webp">
<div class="__tile-title">Testing</div>
</div>
<p>        </p></a>
    </div>

Ckeditor is converting it to:

<div class="__tile-outer">
        <div class="__tile-inner">
            <p>
                <a href="https://www.google.com/"></a>
            </p>
            <div class="__tile-title">
                <a href="https://cdn.boatinternational.com/convert/files/2024/05/3a4aa060-1687-11ef-b53e-e5fd81c40b7c-rossinavi-seawolf-x-5.jpg/r%5Bwidth%5D=1920&r%5Bheight%5D=1080/3a4aa060-1687-11ef-b53e-e5fd81c40b7c-rossinavi-seawolf-x-5.webp">Testing</a>
            </div>
        </div>
    </div>

Problem/Motivation

There are 3 NavigationBlock plugin provided by Navigation module: NavigationMenuBlock, NavigationShortcutsBlock & UserNavigationBlock.

The later follow a different name pattern, nd would be great to have a single naming convention for these blocks.

Proposed resolution

• Rename class UserNavigationBlock to NavigationUserBlock
• Rename class UserNavigationBlockTest to NavigationUserBlockTest
• Remove unused class property moduleHandler which is not being used while we are here

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet