[Koha-bugs] [Bug 42276] New: CookieConsentedJS is loaded using unsafe method incompatible with CSP

bugzilla-daemon--- via Koha-bugs Mon, 06 Apr 2026 23:30:44 -0700

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42276


            Bug ID: 42276
           Summary: CookieConsentedJS is loaded using unsafe method
                    incompatible with CSP
   Initiative type: ---
        Sponsorship ---
            status:
           Product: Koha
           Version: Main
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5 - low
         Component: Architecture, internals, and plumbing
          Assignee: [email protected]
          Reporter: [email protected]
        QA Contact: [email protected]

In cookieconsent.js the Javascript from CookieConsentedJS is loaded and run
using the following lines:

const code = atob($(this).data("consent-code"));
const func = Function(code);
func();

While Function isn't as bad as eval(), for Content-Security-Policy it blocks it
in the same way. That is, it requires unsafe-eval to be set in order to use it.
Obviously, we want to avoid that when using CSP (bug 38365).

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 42276] New: CookieConsentedJS is loaded using unsafe method incompatible with CSP

Reply via email to