https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38365
--- Comment #271 from David Cook <[email protected]> --- (In reply to Jonathan Druart from comment #265) > (In reply to David Cook from comment #258) > > (In reply to Jonathan Druart from comment #253) > > > > > 7. When enabled, I see an error in the browser's console: > > > > > Content-Security-Policy: The page’s settings blocked the loading of a > > > > > resource (media-src) at data: because it violates the following > > > > > directive: > > > > > “default-src 'self'” > > > > > > > > That's interesting. I'd like to hear more about this one. Were there > > > > additional details? I wonder if it had to do with audio when doing a > > > > checkout or something? > > > > > > No idea! There is nothing else! Don't you see it? > > > > Nope! I haven't been able to find it. I don't see it anywhere. Does it > > happen on a particular page? > > All pages: https://snipboard.io/if28Qu.jpg Yeah, I don't see that on mine: https://snipboard.io/GSboJW.jpg media-src is for <audio> and <video> elements, also even that violation message looks weird, although I see other people talking about it online. Do you have any browser plugins/extensions? I think something in your browser is injecting audio/video into your pages. > > > Ok, however I found more: > > > Caught by the xt tests (and now by add_csp_nonces.pl as well) > > > * t/lib/plugins/Koha/Plugin/TestValuebuilder/test_valuebuilder_popup.tt > > > > So this is an interesting one. I will upload a patch for this one, but it's > > going to work differently to what you might expect. I'll explain more in my > > response to your comment about cataloguing plugins. > > > > (To test this one, you'll want to run `prove > > t/db_dependent/Koha/Plugins/Valuebuilder_hooks.t`) > > xt/find-missing-nonce.t is still failing on this file then. Should we > exclude it? I think that we should exclude it, since it's good at testing that Koha::FrameworkPlugin is working correctly at this time. > > > And those ones when testing the UI: > > > * cataloguing/value_builder/* (oops, all cataloguing plugins are broken) > > > We might need to adjust the xt test and add_csp_nonces.pl to caught those > > > files as well. > > > > So these aren't actually broken. When I was first working on the patches, I > > thought they would be, but the script tags are actually already re-written > > by Koha/FrameworkPlugin.pm, so it adds the nonce to them. If you try out the > > cataloguing plugins, they should all work without any violation reports. See > > the patch labelled "Bug 38365: Fix nonce caching and add to framework plugin > > scripts". > > I do see dozens of violations in the console when I edit a biblio: > https://snipboard.io/X7OYJp.jpg So those are different violations unrelated to the nonces. Those are due to inline event handlers, and bug 38407 is for fixing those. If you try the cataloguing plugins for the leader and 008, they're fine. Same with the item editor. The "tag editor" for 100$a isn't using a cataloguing plugin. It's using an inline event handler. These inline event handlers need to be moved into <script> elements with nonces or moved into separate files. But that's what bug 38407 is for. > > I think an argument could be made for fixing them a different way... and you > > just reminded me of why I used an ENV variable initially. It was for this. > > When the plugins get launched the CGI context gets re-set which is why I > > lost the cached values, but the ENV variable would persist and the package > > level variable are fine. > > > > > Also wondering if this one won't require adjustment: > > > misc/devel/tidy.pl:172 $content =~ s#\n*( > > > *)<script>\n*#\n$1<script>\n#g; > > > > Yeah I guess so since it won't match. I've written a patch that will cover > > this (as well as a future where we have other attributes like type for ESM > > modules or use async or defer). > > Hum I've revert your patch and tried to see how it broke the tidy but it > didn't. All good but maybe this is no longer needed. Will keep in mind if > some tidy errors appear in the next weeks. I was wondering that too. That bit of tidying is just collapsing multiple new lines into a single new line, so I'm not sure it's that helpful? -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
