From bugzilla-daemon@bugs.koha-community.org Thu Mar 5 07:03:04 2026 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 38365] Add Content-Security-Policy HTTP header to HTML responses Date: Thu, 05 Mar 2026 06:03:02 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8844304665524247917==" --===============8844304665524247917== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D38365 --- Comment #263 from David Cook --- Test plan: 0. Apply the patch 1. cp debian/templates/plack.psgi /etc/koha/sites/kohadev/plack.psgi 2. Add conf to /etc/koha/sites/kohadev/koha-conf.xml report-only default-src 'self'; script-src 'self' 'nonce-_CSP_NONCE_'; style-src 'self' 'nonce-_CSP_NONCE_'; style-src-attr 'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src 'none'; report-uri /api/v1/public/csp-reports; report-to csp-violations report-only default-src 'self'; script-src 'self' 'nonce-_CSP_NONCE_'; style-src 'self' 'nonce-_CSP_NONCE_'; style-src-attr 'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src 'none'; report-uri /api/v1/public/csp-reports; report-to csp-violations 3. Rebuild resources perl build-resources.PL 4. Add the following to /etc/koha/sites/kohadev/log4perl.conf log4perl.logger.csp =3D WARN, CSP log4perl.appender.CSP=3DLog::Log4perl::Appender::File log4perl.appender.CSP.filename=3D/var/log/koha/kohadev/csp-violations.log log4perl.appender.CSP.mode=3Dappend log4perl.appender.CSP.layout=3DPatternLayout log4perl.appender.CSP.layout.ConversionPattern=3D[%d] %m%n log4perl.appender.CSP.utf8=3D1 log4perl.logger.plack-csp =3D WARN, PLACKCSP log4perl.appender.PLACKCSP=3DLog::Log4perl::Appender::File log4perl.appender.PLACKCSP.filename=3D/var/log/koha/kohadev/plack-csp-violati= ons.log log4perl.appender.PLACKCSP.mode=3Dappend log4perl.appender.PLACKCSP.layout=3DPatternLayout log4perl.appender.PLACKCSP.layout.ConversionPattern=3D[%d] %m%n log4perl.appender.PLACKCSP.utf8=3D1 5. Restart everything restart_all 6. Run unit tests: GIT_INSTALL=3D1 KOHA_HOME=3D/kohadevbox/koha/ prove -v t/Koha/ContentSecurityPolicy.t t/db_dependent/Koha/Middleware/ContentSecurityPolicy.t t/db_dependent/Koha/Template/Plugin/Koha.t t/db_dependent/api/v1/public/csp_reports.t 7. Set up SSL on OPAC - sudo vi /etc/apache2/sites-enabled/kohadev.conf Add the following to the bottom of the OPAC :8080 virtualhost: SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key - sudo a2enmod ssl - sudo service apache2 restart 8. Manual testing Open your F12 dev tools, go to the Console tab, and look for CSP errors as you navigate around Koha. - Go to /cgi-bin/koha/tools/additional-contents.pl?op=3Dadd_form&category=3Dnews&edit= mode=3Dwysiwyg in the staff interface - Add a news item for "Staff interface and OPAC" with the following HTML: - To test the OPAC with CSP violation reports, go to https://kohadev.mydnsname.org:8080/ - If you're not seeing reports in /var/log/koha/kohadev/plack-csp-violations.log, try using a different browser or a private/incognito window NOTE: The following is an example of Firefox and Chrome reporting (respectively) [2026/03/04 03:18:20] CSP violation: 'script-src-elem' blocked 'inline' on pa= ge 'https://kohadev.mydnsname.org:8080/' at https://kohadev.mydnsname.org:8080/:763:63 [2026/03/04 03:18:26] CSP violation: 'script-src-elem' blocked 'inline' on pa= ge 'https://kohadev.mydnsname.org:8080/' at https://kohadev.mydnsname.org:8080/:763 --=20 You are receiving this mail because: You are watching all bug changes. --===============8844304665524247917==--