From bugzilla-daemon@bugs.koha-community.org Thu Mar 5 07:03:04 2026
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 38365] Add Content-Security-Policy HTTP header to
HTML responses
Date: Thu, 05 Mar 2026 06:03:02 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8844304665524247917=="
--===============8844304665524247917==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D38365
--- Comment #263 from David Cook ---
Test plan:
0. Apply the patch
1. cp debian/templates/plack.psgi /etc/koha/sites/kohadev/plack.psgi
2. Add conf to /etc/koha/sites/kohadev/koha-conf.xml
report-only
default-src 'self'; script-src 'self'
'nonce-_CSP_NONCE_'; style-src 'self' 'nonce-_CSP_NONCE_'; style-src-attr
'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src 'none';
report-uri /api/v1/public/csp-reports; report-to
csp-violations
report-only
default-src 'self'; script-src 'self'
'nonce-_CSP_NONCE_'; style-src 'self' 'nonce-_CSP_NONCE_'; style-src-attr
'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src 'none';
report-uri /api/v1/public/csp-reports; report-to
csp-violations
3. Rebuild resources
perl build-resources.PL
4. Add the following to /etc/koha/sites/kohadev/log4perl.conf
log4perl.logger.csp =3D WARN, CSP
log4perl.appender.CSP=3DLog::Log4perl::Appender::File
log4perl.appender.CSP.filename=3D/var/log/koha/kohadev/csp-violations.log
log4perl.appender.CSP.mode=3Dappend
log4perl.appender.CSP.layout=3DPatternLayout
log4perl.appender.CSP.layout.ConversionPattern=3D[%d] %m%n
log4perl.appender.CSP.utf8=3D1
log4perl.logger.plack-csp =3D WARN, PLACKCSP
log4perl.appender.PLACKCSP=3DLog::Log4perl::Appender::File
log4perl.appender.PLACKCSP.filename=3D/var/log/koha/kohadev/plack-csp-violati=
ons.log
log4perl.appender.PLACKCSP.mode=3Dappend
log4perl.appender.PLACKCSP.layout=3DPatternLayout
log4perl.appender.PLACKCSP.layout.ConversionPattern=3D[%d] %m%n
log4perl.appender.PLACKCSP.utf8=3D1
5. Restart everything
restart_all
6. Run unit tests:
GIT_INSTALL=3D1 KOHA_HOME=3D/kohadevbox/koha/ prove -v
t/Koha/ContentSecurityPolicy.t
t/db_dependent/Koha/Middleware/ContentSecurityPolicy.t
t/db_dependent/Koha/Template/Plugin/Koha.t
t/db_dependent/api/v1/public/csp_reports.t
7. Set up SSL on OPAC
- sudo vi /etc/apache2/sites-enabled/kohadev.conf
Add the following to the bottom of the OPAC :8080 virtualhost:
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
- sudo a2enmod ssl
- sudo service apache2 restart
8. Manual testing
Open your F12 dev tools, go to the Console tab, and look for CSP errors as you
navigate around Koha.
- Go to
/cgi-bin/koha/tools/additional-contents.pl?op=3Dadd_form&category=3Dnews&edit=
mode=3Dwysiwyg
in
the staff interface
- Add a news item for "Staff interface and OPAC" with the following HTML:
- To test the OPAC with CSP violation reports, go to
https://kohadev.mydnsname.org:8080/
- If you're not seeing reports in
/var/log/koha/kohadev/plack-csp-violations.log, try using
a different browser or a private/incognito window
NOTE: The following is an example of Firefox and Chrome reporting
(respectively)
[2026/03/04 03:18:20] CSP violation: 'script-src-elem' blocked 'inline' on pa=
ge
'https://kohadev.mydnsname.org:8080/' at
https://kohadev.mydnsname.org:8080/:763:63
[2026/03/04 03:18:26] CSP violation: 'script-src-elem' blocked 'inline' on pa=
ge
'https://kohadev.mydnsname.org:8080/' at
https://kohadev.mydnsname.org:8080/:763
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============8844304665524247917==--