subject:"\[Koha\-bugs\] \[Bug 20397\] Implement Content Security Policy"

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2023-08-17 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 David Cook changed: What|Removed |Added CC||eugen...@yahoo.com ---

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2023-08-17 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #21 from David Cook --- However, overall, I'm pretty pleased with this change. I've done some testing and it works very well, and at a glance Koha seems to keep working. (Adding that "nonce" really makes all the

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2023-08-17 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 David Cook changed: What|Removed |Added Status|NEW |In Discussion --- Comment #20

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2023-08-17 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #19 from David Cook --- Created attachment 154582 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=154582=edit Bug 20397: Add CSP nonce to all OPAC

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2023-08-17 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #18 from David Cook --- Created attachment 154581 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=154581=edit Bug 20397: Add CSP nonce to all staff interface

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2023-08-17 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #17 from David Cook --- Created attachment 154580 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=154580=edit Bug 20397: Add default Content-Security-Policy This patch adds a default

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2023-08-17 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #16 from David Cook --- (In reply to David Cook from comment #15) > We'd need to generate the nonce and pass it to the $template in > C4::Auth::get_template_and_user(). But then we also need to get it into C4::Output.

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2023-08-17 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #15 from David Cook --- For our inline scripts (like OpacUserJS and IntranetUserJS), we could use a nonce. We'd need to generate the nonce and pass it to the $template in C4::Auth::get_template_and_user(). Then we

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2023-07-27 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #14 from David Cook --- I'd like to revisit this one soon. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. ___

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2023-02-06 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 Patrick Robitaille changed: What|Removed |Added CC|

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2023-02-06 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 Noémie Labine changed: What|Removed |Added CC||noemie.lab...@collecto.ca

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2022-04-04 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #13 from Jake Deery --- Thanks for all your input, Katrin! I'll probably be back with some more questions, when I think of some. I need to get into the habit of using IRC to chat with everyone! :-) I can see this as

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2022-04-04 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #12 from Katrin Fischer --- I'll have to leave those questions for someone else I am afraid - a bit out of my depth here. :( -- You are receiving this mail because: You are watching all bug changes. You are the

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2022-04-04 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #11 from Jake Deery --- Thank you, so far it's been very mild, so thankfully I'm feeling I will pass through it quickly and be able to return to normality soon! That's a valid point! Plus, provided the file is being

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2022-04-04 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #10 from Katrin Fischer --- Hi Jake - first of all: hope you feel better soon! I worry about having silly suggestions too, so maybe that is not related :) I am not sure if save and rebuild being separate makes sense,

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2022-04-04 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #9 from Jake Deery --- Katrin - I didn't realise you could set 'unsafe-inline'. That would be a great first step, and something we could probably implement quite quickly with minimal disruption :-) The OpacUserJs

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2022-04-04 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #8 from Katrin Fischer --- New to the topic, so I hope what I gathered from reading documentation is about right: "Aiming for default-src https: is a great first goal, as it disables inline code and requires https. For

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2022-04-04 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #7 from Jake Deery --- Hi Michal, I agree; long-term, having a syspref or sysprefs to manage these things would be preferable. In the meantime, I think our starting goal should be implementing something along the lines

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2022-04-04 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #6 from Michal Denar --- Hi, we can take inspiration from VuFind. It's not in Perl, but the basic principle is the same or similar. https://vufind.org/wiki/administration:security:content_security_policy -- You are

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2022-04-04 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #5 from Jake Deery --- Hi, We are seeing more and more customers flag this in their security audits. Is there anything that can be done to expedite this bug (I was planning on taking a look at this myself in the near

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2022-04-04 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 Jake Deery changed: What|Removed |Added CC||jake.de...@ptfs-europe.com --

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2022-03-09 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 David Cook changed: What|Removed |Added See Also||https://bugs.koha-community

[Koha-bugs] [Bug 20397] Implement Content Security Policy

2022-01-23 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #4 from David Cook --- (In reply to Benjamin Daeuber from comment #2) > We're currently experimenting with this in response headers in Apache, > though part of the struggle is getting a hold on the variety of resources >