[Koha-bugs] [Bug 20397] Implement Content Security Policy

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397

--- Comment #9 from Jake Deery <jake.deery at ptfs-europe.com> ---
Katrin -

I didn't realise you could set 'unsafe-inline'. That would be a great first
step, and something we could probably implement quite quickly with minimal
disruption :-)

The OpacUserJs problem is one that will need more thought and discussion. There
are many ways to solve it, each with different benefits and drawbacks in my
eyes

* You could keep everything in the database, and have a Perl script fetch it on
each pageload. E.g. <script src="/cgi-bin/koha/opac-userjs.pl"></script>. This
has the benefit of keeping everything in the database, but the drawback of
being slow (you're making a dynamic call on each pageload).
* Or, you can keep everything in the database, and rebuild a file when you save
the syspref. For example, using a filehandler to write to somewhere in
/var/lib/koha (or another location, /tmp maybe?). This has the benefit of being
faster and cachable using Apache headers, but the drawback of maybe being
inconsistent for sites that are configured poorly.
* The other option is to maybe do a bit of both? Keep everything in the
database, but have the option in the Koha sysprefs page of having a save button
and a rebuild button separate from each other. So you can manually rebuild the
JS file in the filesystem if it becomes unusable or missing!

Of course, these are ideas - and I have COVID at the moment, so I may be
writing 100 words where I would usually find what I need to say in ten. Again -
open discussion; please say if you think these ideas are all silly, or not
useful for Koha's usecase. :-)

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.