From bugzilla-daemon@bugs.koha-community.org Tue Mar 3 10:59:30 2026 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 38365] Add Content-Security-Policy HTTP header to HTML responses Date: Tue, 03 Mar 2026 09:59:30 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3879636483794701185==" --===============3879636483794701185== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D38365 Jonathan Druart changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA --- Comment #232 from Jonathan Druart --- 1. I think we need a xt test to parse template files and catch regressions fr= om Jenkins. Let me know if I miss something, I can write it if you want me to. 2. `use strict; use warnings;` should be replaced by `use Modern::Perl;` 3. Is there a good reason to use Plack::Test in t/db_dependent/Koha/Middleware/ContentSecurityPolicy.t? IMO we should have a Cypress test. By the way I am expecting t/Koha/Middleware/ContentSecurityPolicy.t to fail if there is no DB, why is it not in db_dependent? Also I don't think those 2 includes are needed: 27 use File::Basename qw(dirname); 28 use HTTP::Request::Common;=20 4. Koha::Cache::Memory::Lite; is loaded in several modules but not used. 5. We will need a commit for ktd to sync koha-conf.xml 6. xt/api.t is failing xt/api.t .. 1/8=20 # Failed test 'Validation exit code is 0' # at xt/api.t line 103. # got: '256' # expected: '0' # Validation failed. /paths/public/csp-reports/post/parameters/body has an invalid type (array,object) # Looks like you failed 1 test of 1. xt/api.t .. 3/8=20 # Failed test 'The spec passes the swagger-cli validation' # at xt/api.t line 108. # Failed test 'No tag errors in the spec' # at xt/api.t line 130. # Structures begin differing at: # $got->[0] =3D 'post /public/csp-reports -> uses tag 'csp' not present in top level list' # $expected->[0] =3D Does not exist post /public/csp-reports -> uses tag 'csp' not present in top level list 7. When enabled, I see an error in the browser's console: Content-Security-Policy: The page=E2=80=99s settings blocked the loading of a= resource (media-src) at data: because it violates the following directive: =E2=80=9Cde= fault-src 'self'=E2=80=9D Might be related to the other error: Source map error: request failed with status 404 Resource URL: http://dev-intra.localhost/intranet-tmpl/lib/bootstrap/bootstrap.bundle.min_2= 5.1200026.js Source Map URL: bootstrap.bundle.min.js.map 8. It's not clear to me why we are using an env var, I would go with a package variable. I actually faced the same problem a couple of weeks ago on bug 4189= 5, please have a look at Koha/Context/UserEnv.pm in the first patch there. 9. Did you discuss those 3 occurrences? misc/cronjobs/cloud-kw.pl:$message"; 10. Vue apps have styling issues: Content-Security-Policy: The page=E2=80=99s settings blocked an inline style (style-src-elem) from being applied because it violates the following directive: =E2=80=9Cstyle-src 'self' 'nonce-UrNLygw_Cc1zaPU2WH0qVk'=E2=80=9D.= Consider using a hash ('sha256-t4I2teZN5ZH+VM+XOiWlaPbsjQHe+k9d6viXPpKpNWA=3D', requires 'unsafe-hashes' for style attributes) or a nonce. It's coming from insertBySelector.js and styleTagTransform.js 11. Not blocker but add_csp_nonces.pl should use Koha::Devel::Files to list files. 12. (In reply to David Cook from comment #99) > FYI bug 38407 will need to be resolved before the staff interface is ready > for CSP in prod. There is no patch there, should this depends on it then? 13. I didn't manage to see something in the violation logs. I enabled dom.reporting.* in about:config, what else is needed? Side note: This will heavily conflict with bug 41324... Easy to fix, but boring. --=20 You are receiving this mail because: You are watching all bug changes. --===============3879636483794701185==--