From bugzilla-daemon@bugs.koha-community.org Tue Mar 3 10:59:30 2026
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 38365] Add Content-Security-Policy HTTP header to
HTML responses
Date: Tue, 03 Mar 2026 09:59:30 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3879636483794701185=="
--===============3879636483794701185==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D38365
Jonathan Druart changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Signed Off |Failed QA
--- Comment #232 from Jonathan Druart ---
1. I think we need a xt test to parse template files and catch regressions fr=
om
Jenkins. Let me know if I miss something, I can write it if you want me to.
2. `use strict; use warnings;` should be replaced by `use Modern::Perl;`
3. Is there a good reason to use Plack::Test in
t/db_dependent/Koha/Middleware/ContentSecurityPolicy.t? IMO we should have a
Cypress test.
By the way I am expecting t/Koha/Middleware/ContentSecurityPolicy.t to fail if
there is no DB, why is it not in db_dependent?
Also I don't think those 2 includes are needed:
27 use File::Basename qw(dirname);
28 use HTTP::Request::Common;=20
4. Koha::Cache::Memory::Lite; is loaded in several modules but not used.
5. We will need a commit for ktd to sync koha-conf.xml
6. xt/api.t is failing
xt/api.t .. 1/8=20
# Failed test 'Validation exit code is 0'
# at xt/api.t line 103.
# got: '256'
# expected: '0'
# Validation failed. /paths/public/csp-reports/post/parameters/body has an
invalid type (array,object)
# Looks like you failed 1 test of 1.
xt/api.t .. 3/8=20
# Failed test 'The spec passes the swagger-cli validation'
# at xt/api.t line 108.
# Failed test 'No tag errors in the spec'
# at xt/api.t line 130.
# Structures begin differing at:
# $got->[0] =3D 'post /public/csp-reports -> uses tag 'csp' not
present in top level list'
# $expected->[0] =3D Does not exist
post /public/csp-reports -> uses tag 'csp' not present in top level list
7. When enabled, I see an error in the browser's console:
Content-Security-Policy: The page=E2=80=99s settings blocked the loading of a=
resource
(media-src) at data: because it violates the following directive: =E2=80=9Cde=
fault-src
'self'=E2=80=9D
Might be related to the other error:
Source map error: request failed with status 404
Resource URL:
http://dev-intra.localhost/intranet-tmpl/lib/bootstrap/bootstrap.bundle.min_2=
5.1200026.js
Source Map URL: bootstrap.bundle.min.js.map
8. It's not clear to me why we are using an env var, I would go with a package
variable. I actually faced the same problem a couple of weeks ago on bug 4189=
5,
please have a look at Koha/Context/UserEnv.pm in the first patch there.
9. Did you discuss those 3 occurrences?
misc/cronjobs/cloud-kw.pl:$message