From bugzilla-daemon@bugs.koha-community.org Fri Mar 6 00:35:18 2026
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 38365] Add Content-Security-Policy HTTP header to
HTML responses
Date: Thu, 05 Mar 2026 23:35:17 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0067760798886822039=="
--===============0067760798886822039==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D38365
--- Comment #271 from David Cook ---
(In reply to Jonathan Druart from comment #265)
> (In reply to David Cook from comment #258)
> > (In reply to Jonathan Druart from comment #253)
> > > > > 7. When enabled, I see an error in the browser's console:
> > > > > Content-Security-Policy: The page=E2=80=99s settings blocked the lo=
ading of a
> > > > > resource (media-src) at data: because it violates the following dir=
ective:
> > > > > =E2=80=9Cdefault-src 'self'=E2=80=9D
> > > >=20
> > > > That's interesting. I'd like to hear more about this one. Were there
> > > > additional details? I wonder if it had to do with audio when doing a
> > > > checkout or something?
> > >=20
> > > No idea! There is nothing else! Don't you see it?
> >=20
> > Nope! I haven't been able to find it. I don't see it anywhere. Does it
> > happen on a particular page?
>=20
> All pages: https://snipboard.io/if28Qu.jpg
Yeah, I don't see that on mine: https://snipboard.io/GSboJW.jpg
media-src is for