https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38365
--- Comment #249 from David Cook <[email protected]> --- Test plan: 0. Apply the patch 1. cp debian/templates/plack.psgi /etc/koha/sites/kohadev/plack.psgi 2. Add conf to /etc/koha/sites/kohadev/koha-conf.xml <content_security_policy> <opac> <csp_mode>report-only</csp_mode> <csp_header_value>default-src 'self'; script-src 'self' 'nonce-_CSP_NONCE_'; style-src 'self' 'nonce-_CSP_NONCE_'; style-src-attr 'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src 'none'; report-uri /api/v1/public/csp-reports; report-to csp-violations</csp_header_value> </opac> <intranet> <csp_mode>report-only</csp_mode> <csp_header_value>default-src 'self'; script-src 'self' 'nonce-_CSP_NONCE_'; style-src 'self' 'nonce-_CSP_NONCE_'; style-src-attr 'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src 'none'; report-uri /api/v1/public/csp-reports; report-to csp-violations</csp_header_value> </intranet> </content_security_policy> 3. Rebuild API redocly bundle --ext json api/v1/swagger/swagger.yaml --output api/v1/swagger/swagger_bundle.json 4. Add the following to /etc/koha/sites/kohadev/log4perl.conf log4perl.logger.csp = WARN, CSP log4perl.appender.CSP=Log::Log4perl::Appender::File log4perl.appender.CSP.filename=/var/log/koha/kohadev/csp-violations.log log4perl.appender.CSP.mode=append log4perl.appender.CSP.layout=PatternLayout log4perl.appender.CSP.layout.ConversionPattern=[%d] %m%n log4perl.appender.CSP.utf8=1 log4perl.logger.plack-csp = WARN, PLACKCSP log4perl.appender.PLACKCSP=Log::Log4perl::Appender::File log4perl.appender.PLACKCSP.filename=/var/log/koha/kohadev/plack-csp-violations.log log4perl.appender.PLACKCSP.mode=append log4perl.appender.PLACKCSP.layout=PatternLayout log4perl.appender.PLACKCSP.layout.ConversionPattern=[%d] %m%n log4perl.appender.PLACKCSP.utf8=1 5. Restart everything restart_all 6. Run unit tests: GIT_INSTALL=1 KOHA_HOME=/kohadevbox/koha/ prove -v t/Koha/ContentSecurityPolicy.t t/Koha/Middleware/ContentSecurityPolicy.t t/db_dependent/Koha/Middleware/ContentSecurityPolicy.t t/db_dependent/Koha/Template/Plugin/Koha.t t/db_dependent/api/v1/public/csp_reports.t 7. Set up SSL on OPAC - sudo vi /etc/apache2/sites-enabled/kohadev.conf Add the following to the bottom of the OPAC :8080 virtualhost: SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key - sudo a2enmod ssl - sudo service apache2 restart 8. Manual testing Open your F12 dev tools, go to the Console tab, and look for CSP errors as you navigate around Koha. - Go to /cgi-bin/koha/tools/additional-contents.pl?op=add_form&category=news&editmode=wysiwyg in the staff interface - Add a news item for "Staff interface and OPAC" with the following HTML: <script>console.log('boo')</script> - To test the OPAC with CSP violation reports, go to https://kohadev.mydnsname.org:8080/ - If you're not seeing reports in /var/log/koha/kohadev/plack-csp-violations.log, try using a different browser or a private/incognito window NOTE: The following is an example of Firefox and Chrome reporting (respectively) [2026/03/04 03:18:20] CSP violation: 'script-src-elem' blocked 'inline' on page 'https://kohadev.mydnsname.org:8080/' at https://kohadev.mydnsname.org:8080/:763:63 [2026/03/04 03:18:26] CSP violation: 'script-src-elem' blocked 'inline' on page 'https://kohadev.mydnsname.org:8080/' at https://kohadev.mydnsname.org:8080/:763 -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
