Skip to content

A11y scan hardening: block non-AJAX mobile nav callback access#5642

Open
accesswatch wants to merge 2 commits into
mainfrom
accessibility-fixes-mobile-nav-callback
Open

A11y scan hardening: block non-AJAX mobile nav callback access#5642
accesswatch wants to merge 2 commits into
mainfrom
accessibility-fixes-mobile-nav-callback

Conversation

@accesswatch
Copy link
Copy Markdown
Contributor

@accesswatch accesswatch commented May 28, 2026

Summary

  • Prevents non-AJAX crawling of the mobile navigation callback endpoint.
  • This endpoint is intended to return Drupal AJAX commands, not standalone HTML documents.

Issue types targeted from CSV

  • html-has-lang
  • document-title
  • label

These were reported on /az_core/mobile_nav_callback/... URLs where scanners treated AJAX payloads as full pages.

Change

  1. modules/custom/az_core/src/Controller/MobileNavController.php
    • Injects request_stack and checks isXmlHttpRequest().
    • Returns 404 for non-AJAX requests.
    • Preserves current AJAX behavior for legitimate mobile menu requests.

Impact

  • Impacted files: 1
  • Scope: high-confidence endpoint hardening for crawler-facing false-positive reduction.

@accesswatch
Restrict mobile nav callback to AJAX requests
493239d 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@accesswatch accesswatch requested a review from a team as a code owner May 28, 2026 01:26
Copilot AI review requested due to automatic review settings May 28, 2026 01:26
@accesswatch accesswatch requested a review from a team as a code owner May 28, 2026 01:26
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the az_core.mobile_nav_callback controller endpoint so it only serves Drupal AJAX command payloads to legitimate AJAX requests, reducing accessibility scanner false-positives caused by crawlers treating the callback response as a standalone page.

Changes:

  • Inject request_stack into MobileNavController.
  • Reject non-AJAX requests by throwing NotFoundHttpException (404) before building the AJAX response.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@accesswatch
Stabilize composer audit check for abandoned packages
fe2979e 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@bberndt-uaz bberndt-uaz self-requested a review May 29, 2026 17:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bberndt-uaz bberndt-uaz Awaiting requested review from bberndt-uaz

At least 2 approving reviews are required to merge this pull request.

Assignees

@accesswatch accesswatch

Labels

accessibility

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@accesswatch @joeparsons