From bugzilla-daemon@bugs.koha-community.org Thu Mar 5 10:39:26 2026
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 38365] Add Content-Security-Policy HTTP header to
HTML responses
Date: Thu, 05 Mar 2026 09:39:25 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1337452691090060419=="
--===============1337452691090060419==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D38365
--- Comment #265 from Jonathan Druart ---
(In reply to David Cook from comment #258)
> (In reply to Jonathan Druart from comment #253)
> > > > 7. When enabled, I see an error in the browser's console:
> > > > Content-Security-Policy: The page=E2=80=99s settings blocked the load=
ing of a
> > > > resource (media-src) at data: because it violates the following direc=
tive:
> > > > =E2=80=9Cdefault-src 'self'=E2=80=9D
> > >=20
> > > That's interesting. I'd like to hear more about this one. Were there
> > > additional details? I wonder if it had to do with audio when doing a
> > > checkout or something?
> >=20
> > No idea! There is nothing else! Don't you see it?
>=20
> Nope! I haven't been able to find it. I don't see it anywhere. Does it
> happen on a particular page?
All pages: https://snipboard.io/if28Qu.jpg
> > Ok, however I found more:
> > Caught by the xt tests (and now by add_csp_nonces.pl as well)
> > * t/lib/plugins/Koha/Plugin/TestValuebuilder/test_valuebuilder_popup.tt
>=20
> So this is an interesting one. I will upload a patch for this one, but it's
> going to work differently to what you might expect. I'll explain more in my
> response to your comment about cataloguing plugins.=20
>=20
> (To test this one, you'll want to run `prove
> t/db_dependent/Koha/Plugins/Valuebuilder_hooks.t`)
xt/find-missing-nonce.t is still failing on this file then. Should we exclude
it?
> > And those ones when testing the UI:
> > * cataloguing/value_builder/* (oops, all cataloguing plugins are broken)
> > We might need to adjust the xt test and add_csp_nonces.pl to caught those
> > files as well.
>=20
> So these aren't actually broken. When I was first working on the patches, I
> thought they would be, but the script tags are actually already re-written
> by Koha/FrameworkPlugin.pm, so it adds the nonce to them. If you try out the
> cataloguing plugins, they should all work without any violation reports. See
> the patch labelled "Bug 38365: Fix nonce caching and add to framework plugin
> scripts".
I do see dozens of violations in the console when I edit a biblio:
https://snipboard.io/X7OYJp.jpg
> I think an argument could be made for fixing them a different way... and you
> just reminded me of why I used an ENV variable initially. It was for this.
> When the plugins get launched the CGI context gets re-set which is why I
> lost the cached values, but the ENV variable would persist and the package
> level variable are fine.=20
>=20
> > Also wondering if this one won't require adjustment:
> > misc/devel/tidy.pl:172 $content =3D~ s#\n*(
> > *)