https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38365
--- Comment #265 from Jonathan Druart <[email protected]> --- (In reply to David Cook from comment #258) > (In reply to Jonathan Druart from comment #253) > > > > 7. When enabled, I see an error in the browser's console: > > > > Content-Security-Policy: The page’s settings blocked the loading of a > > > > resource (media-src) at data: because it violates the following > > > > directive: > > > > “default-src 'self'” > > > > > > That's interesting. I'd like to hear more about this one. Were there > > > additional details? I wonder if it had to do with audio when doing a > > > checkout or something? > > > > No idea! There is nothing else! Don't you see it? > > Nope! I haven't been able to find it. I don't see it anywhere. Does it > happen on a particular page? All pages: https://snipboard.io/if28Qu.jpg > > Ok, however I found more: > > Caught by the xt tests (and now by add_csp_nonces.pl as well) > > * t/lib/plugins/Koha/Plugin/TestValuebuilder/test_valuebuilder_popup.tt > > So this is an interesting one. I will upload a patch for this one, but it's > going to work differently to what you might expect. I'll explain more in my > response to your comment about cataloguing plugins. > > (To test this one, you'll want to run `prove > t/db_dependent/Koha/Plugins/Valuebuilder_hooks.t`) xt/find-missing-nonce.t is still failing on this file then. Should we exclude it? > > And those ones when testing the UI: > > * cataloguing/value_builder/* (oops, all cataloguing plugins are broken) > > We might need to adjust the xt test and add_csp_nonces.pl to caught those > > files as well. > > So these aren't actually broken. When I was first working on the patches, I > thought they would be, but the script tags are actually already re-written > by Koha/FrameworkPlugin.pm, so it adds the nonce to them. If you try out the > cataloguing plugins, they should all work without any violation reports. See > the patch labelled "Bug 38365: Fix nonce caching and add to framework plugin > scripts". I do see dozens of violations in the console when I edit a biblio: https://snipboard.io/X7OYJp.jpg > I think an argument could be made for fixing them a different way... and you > just reminded me of why I used an ENV variable initially. It was for this. > When the plugins get launched the CGI context gets re-set which is why I > lost the cached values, but the ENV variable would persist and the package > level variable are fine. > > > Also wondering if this one won't require adjustment: > > misc/devel/tidy.pl:172 $content =~ s#\n*( > > *)<script>\n*#\n$1<script>\n#g; > > Yeah I guess so since it won't match. I've written a patch that will cover > this (as well as a future where we have other attributes like type for ESM > modules or use async or defer). Hum I've revert your patch and tried to see how it broke the tidy but it didn't. All good but maybe this is no longer needed. Will keep in mind if some tidy errors appear in the next weeks. > > > > 10. Vue apps have styling issues: > > > > Content-Security-Policy: The page’s settings blocked an inline style > > > > (style-src-elem) from being applied because it violates the following > > > > directive: “style-src 'self' 'nonce-UrNLygw_Cc1zaPU2WH0qVk'”. Consider > > > > using > > > > a hash ('sha256-t4I2teZN5ZH+VM+XOiWlaPbsjQHe+k9d6viXPpKpNWA=', requires > > > > 'unsafe-hashes' for style attributes) or a nonce. > > > > It's coming from insertBySelector.js and styleTagTransform.js > > > > > > I have been wondering if the Vue apps would have trouble. > > > > > > According to https://webpack.js.org/loaders/style-loader/#nonce, > > > style-loader isn't recommended for production. Note the security warning > > > on > > > https://www.npmjs.com/package/style-loader as well. How does style-loader > > > get used in Vue currently? > > > > Looks like it is used to load all the inline style tags. > > > > Todo - Vue apps are broken. > > Todo - Adjust xt test to parse .vue files(?) > > Since style-loader isn't recommended for prod use, I think we look at > replacing that. It looks like "mini-css-extract-plugin" is typically what's > used which will put the CSS into a separate file. > > Note that nothing is broken per se. We're not turning on CSP by default, and > you can always override the default CSP to allow inline styles if you want. > So we have time to work out some of these changes while still forging ahead. > > I see what you mean though. If I turn on ERM and go to > http://localhost:8081/cgi-bin/koha/erm/home I see a lot of inline style > violations. > > Alternatively, I think that style-loader might have support for > __webpack_nonce__ . I need to have a very late lunch but I'll check that out > too... Nice one! -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
