https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38365
Jonathan Druart <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA --- Comment #232 from Jonathan Druart <[email protected]> --- 1. I think we need a xt test to parse template files and catch regressions from Jenkins. Let me know if I miss something, I can write it if you want me to. 2. `use strict; use warnings;` should be replaced by `use Modern::Perl;` 3. Is there a good reason to use Plack::Test in t/db_dependent/Koha/Middleware/ContentSecurityPolicy.t? IMO we should have a Cypress test. By the way I am expecting t/Koha/Middleware/ContentSecurityPolicy.t to fail if there is no DB, why is it not in db_dependent? Also I don't think those 2 includes are needed: 27 use File::Basename qw(dirname); 28 use HTTP::Request::Common; 4. Koha::Cache::Memory::Lite; is loaded in several modules but not used. 5. We will need a commit for ktd to sync koha-conf.xml 6. xt/api.t is failing xt/api.t .. 1/8 # Failed test 'Validation exit code is 0' # at xt/api.t line 103. # got: '256' # expected: '0' # Validation failed. /paths/public/csp-reports/post/parameters/body has an invalid type (array,object) # Looks like you failed 1 test of 1. xt/api.t .. 3/8 # Failed test 'The spec passes the swagger-cli validation' # at xt/api.t line 108. # Failed test 'No tag errors in the spec' # at xt/api.t line 130. # Structures begin differing at: # $got->[0] = 'post /public/csp-reports -> uses tag 'csp' not present in top level list' # $expected->[0] = Does not exist post /public/csp-reports -> uses tag 'csp' not present in top level list 7. When enabled, I see an error in the browser's console: Content-Security-Policy: The page’s settings blocked the loading of a resource (media-src) at data: because it violates the following directive: “default-src 'self'” Might be related to the other error: Source map error: request failed with status 404 Resource URL: http://dev-intra.localhost/intranet-tmpl/lib/bootstrap/bootstrap.bundle.min_25.1200026.js Source Map URL: bootstrap.bundle.min.js.map 8. It's not clear to me why we are using an env var, I would go with a package variable. I actually faced the same problem a couple of weeks ago on bug 41895, please have a look at Koha/Context/UserEnv.pm in the first patch there. 9. Did you discuss those 3 occurrences? misc/cronjobs/cloud-kw.pl:<style> misc/cronjobs/overdue_notices.pl:<style type='text/css'> misc/cronjobs/runreport.pl: "<html><head><style>tr:nth-child(2n+1) { background-color: #ccc;}</style></head><body>$message</body></html>"; 10. Vue apps have styling issues: Content-Security-Policy: The page’s settings blocked an inline style (style-src-elem) from being applied because it violates the following directive: “style-src 'self' 'nonce-UrNLygw_Cc1zaPU2WH0qVk'”. Consider using a hash ('sha256-t4I2teZN5ZH+VM+XOiWlaPbsjQHe+k9d6viXPpKpNWA=', requires 'unsafe-hashes' for style attributes) or a nonce. It's coming from insertBySelector.js and styleTagTransform.js 11. Not blocker but add_csp_nonces.pl should use Koha::Devel::Files to list files. 12. (In reply to David Cook from comment #99) > FYI bug 38407 will need to be resolved before the staff interface is ready > for CSP in prod. There is no patch there, should this depends on it then? 13. I didn't manage to see something in the violation logs. I enabled dom.reporting.* in about:config, what else is needed? Side note: This will heavily conflict with bug 41324... Easy to fix, but boring. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
