From bugzilla-daemon@bugs.koha-community.org Thu Mar 5 10:39:26 2026 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 38365] Add Content-Security-Policy HTTP header to HTML responses Date: Thu, 05 Mar 2026 09:39:25 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1337452691090060419==" --===============1337452691090060419== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D38365 --- Comment #265 from Jonathan Druart --- (In reply to David Cook from comment #258) > (In reply to Jonathan Druart from comment #253) > > > > 7. When enabled, I see an error in the browser's console: > > > > Content-Security-Policy: The page=E2=80=99s settings blocked the load= ing of a > > > > resource (media-src) at data: because it violates the following direc= tive: > > > > =E2=80=9Cdefault-src 'self'=E2=80=9D > > >=20 > > > That's interesting. I'd like to hear more about this one. Were there > > > additional details? I wonder if it had to do with audio when doing a > > > checkout or something? > >=20 > > No idea! There is nothing else! Don't you see it? >=20 > Nope! I haven't been able to find it. I don't see it anywhere. Does it > happen on a particular page? All pages: https://snipboard.io/if28Qu.jpg > > Ok, however I found more: > > Caught by the xt tests (and now by add_csp_nonces.pl as well) > > * t/lib/plugins/Koha/Plugin/TestValuebuilder/test_valuebuilder_popup.tt >=20 > So this is an interesting one. I will upload a patch for this one, but it's > going to work differently to what you might expect. I'll explain more in my > response to your comment about cataloguing plugins.=20 >=20 > (To test this one, you'll want to run `prove > t/db_dependent/Koha/Plugins/Valuebuilder_hooks.t`) xt/find-missing-nonce.t is still failing on this file then. Should we exclude it? > > And those ones when testing the UI: > > * cataloguing/value_builder/* (oops, all cataloguing plugins are broken) > > We might need to adjust the xt test and add_csp_nonces.pl to caught those > > files as well. >=20 > So these aren't actually broken. When I was first working on the patches, I > thought they would be, but the script tags are actually already re-written > by Koha/FrameworkPlugin.pm, so it adds the nonce to them. If you try out the > cataloguing plugins, they should all work without any violation reports. See > the patch labelled "Bug 38365: Fix nonce caching and add to framework plugin > scripts". I do see dozens of violations in the console when I edit a biblio: https://snipboard.io/X7OYJp.jpg > I think an argument could be made for fixing them a different way... and you > just reminded me of why I used an ENV variable initially. It was for this. > When the plugins get launched the CGI context gets re-set which is why I > lost the cached values, but the ENV variable would persist and the package > level variable are fine.=20 >=20 > > Also wondering if this one won't require adjustment: > > misc/devel/tidy.pl:172 $content =3D~ s#\n*( > > *)