Sherlock headers not working anymore

[marten-wirelab]

Bug Report

We have a project that has been running both Blitz and Sherlock for quite some time without any issues, but recently we've been notified through a security scan that CSP headers are no longer being set. I've found that this is due to the interaction between Blitz and Sherlock. It seems that due to some random change, the order of execution of both Application::EVENT_INIT handlers of the plugins has switched around, meaning that Blitz now fires before Sherlock, sends the stored response and exits the process. We don't use server rewrites exactly because we need CSP headers to be set. Using meta tags is not an option because we need the report_uri

Plugin Version

4.11.1

Craft CMS Version

4.7.3

PHP Version

8.2.16

[bencroker]

Blitz has always returned cached versions of pages as early as possible. The changing of the order in which plugins are loaded was likely due to a Craft update. In Craft 3.7.31, the order was changed to be deterministic (by handle, ascending), for example, meaning that Blitz loads before Sherlock. See https://github.com/craftcms/cms/issues/10441

Using meta tags is the way to go when static caching. You can use headers in a staging environment with caching disabled to enable report only mode, but in production you should switch to meta tags, which will be more robust and allow for server rewrites.

[marten-wirelab]

@bencroker I understand meta tags would be easier, but it's not really an option. Meta tags are only enforced to everything after them in HTML and there's no feature parity between using headers and meta tags. I.e. setting a report uri, which is critical in our use case. I think the fix could be as simple as checking if Blitz is installed and hooking in to the EVENT_AFTER_GET_RESPONSE event.

[bencroker]

Made a quick fix in https://github.com/putyourlightson/craft-sherlock/commit/6d1a0d980d21b7b8461c2539d31ac8b8bc8605f3 that applies the CSP as early as possible. Let me know if 4.4.2 resolves the issue for you.