Problem/Motivation
The render array #attached key bubbles up and merges information from elements. The keys are checked against an allowed list in HtmlResponseAttachmentsProcessor, and an exception is thrown for unrecognized values. This prevents other modules from using the render system to add additional properties that bubble up during the rendering process.
https://git.drupalcode.org/project/drupal/-/blob/11.x/core/lib/Drupal/Co...
// Send a message back if the render array has unsupported #attached types.
$unsupported_types = array_diff(
array_keys($attached),
['html_head', 'feed', 'html_head_link', 'http_header', 'library', 'html_response_attachment_placeholders', 'placeholders', 'drupalSettings']
);
if (!empty($unsupported_types)) {
throw new \LogicException(sprintf('You are not allowed to use %s in #attached.', implode(', ', $unsupported_types)));
}
- Big Pipe makes use of
#attachedby wrapping the core attachments processor, and removing its own properties from the array before passing the rest on to the decorated method. These properties are only added (and then removed) by Big Pipe during the rendering process. - Content Security Policy allows modules to alter a page's policy, which can currently be done by inspecting the libraries attached to a response. Some content, such as media or an iframe may not have an associated library and so site builders may have to allow a certain resource on all pages of a site instead of for only relevant content. If an element contains content which requires a placeholder for a nonce be replaced, there isn't a direct way to pass that information to the response #3413636: Provides a filter to add nonce attribute to inline scripts.
- Attach Inline allows developers to add inline JS and CSS snippets to a render array element, which are then rendered with the page's libraries in the page header or footer. To allow additional keys for specifying inline JS and CSS, the module replaces the core attachments processor service, which can cause compatibility issues if core's code changes or if another module also needs to replace the service #3096061: [upstream] html_response.attachments_processor service must be replaced instead of decorated. If the attach inline module is uninstalled while a render array still has the additional key, the exception will be thrown.
Proposed resolution
- Allow modules to define additional allowed keys. Use an assertion to check for unrecognized keys so that an exception isn't thrown in a production environment for properties that will just be ignored.
- OR Allow any key
$element['#attached'] = [
'csp' => [
'media-src' => ["*"],
'script-src' => ["'unsafe-inline'"],
],
];
