https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38365
--- Comment #325 from Lari Taskula <[email protected]> --- (In reply to David Cook from comment #315) > Created attachment 194607 [details] [review] > Bug 38365: Fix t/db_dependent/Koha/Plugins/Valuebuilder_hooks.t > > This initialises the CSP nonce in the unit test so that > t/lib/plugins/Koha/Plugin/TestValuebuilder/test_valuebuilder_popup.tt > will get its script element rewritten correctly. Do we still need this patch after excluding test_valuebuilder_popup.tt in Koha::Devel::Files and xt/find-missing-nonce.t? Is there a way to make Valuebuilder_hooks.t test fail in the first place? I tried rebasing before and after this commit but it always passed, so I don't understand the purpose of this change and the patch. `add_csp_nonces.pl --apply` still modifies test_valuebuilder_popup.tt. Should we call its Koha::Devel::Files constructor with context => 'nonce' so that test_valuebuilder_popup.tt will not be modified by the script? (In reply to David Cook from comment #316) > Created attachment 194608 [details] [review] > Bug 38365: Make tidy.pl compatible with script elements with attributes > > tidy.pl will still tidy whitespace around script elements that have > attributes like "nonce" OK. `perl misc/devel/tidy.pl --tt` changes t/mock_templates/opac-tmpl/bootstrap/en/modules/opac-csp.tt (file introduced in this bug). (In reply to David Cook from comment #317) > Created attachment 194609 [details] [review] > Bug 38365: Set __webpack_nonce__ for style-loader plugin and fix fontawesome > imports This is out of my expertise, how to test? Not to take anything away from the good work and important findings on the staff client side as seen in that patch, but we should redefine the scope of this Bug. It is clear from the title of this Bug [1] that the scope has been expanding. It has also been established that CSP is not ready to be enabled in the staff client and my understanding is that a lot of work remains to be done there. But as far as we know OPAC is quite close. So my question is how much do we want to (and can) work on the staff client side of things in this Bug? We have a library that is willing to enable this on the OPAC side. In fact they are already running an older implementation but we would like to see it replaced with this one. Having this tested in the real world would be good even if it was initially just OPAC. I also fear that we might run out of steam if this Bug's scope expands too much into the staff client as well. [1] (at the time of this comment the title is "Add Content-Security-Policy HTTP header to HTML responses") -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
