From bugzilla-daemon@bugs.koha-community.org Fri Mar 6 00:35:18 2026 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 38365] Add Content-Security-Policy HTTP header to HTML responses Date: Thu, 05 Mar 2026 23:35:17 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0067760798886822039==" --===============0067760798886822039== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D38365 --- Comment #271 from David Cook --- (In reply to Jonathan Druart from comment #265) > (In reply to David Cook from comment #258) > > (In reply to Jonathan Druart from comment #253) > > > > > 7. When enabled, I see an error in the browser's console: > > > > > Content-Security-Policy: The page=E2=80=99s settings blocked the lo= ading of a > > > > > resource (media-src) at data: because it violates the following dir= ective: > > > > > =E2=80=9Cdefault-src 'self'=E2=80=9D > > > >=20 > > > > That's interesting. I'd like to hear more about this one. Were there > > > > additional details? I wonder if it had to do with audio when doing a > > > > checkout or something? > > >=20 > > > No idea! There is nothing else! Don't you see it? > >=20 > > Nope! I haven't been able to find it. I don't see it anywhere. Does it > > happen on a particular page? >=20 > All pages: https://snipboard.io/if28Qu.jpg Yeah, I don't see that on mine: https://snipboard.io/GSboJW.jpg media-src is for