From bugzilla-daemon@bugs.koha-community.org Thu Mar 5 05:05:44 2026 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 38365] Add Content-Security-Policy HTTP header to HTML responses Date: Thu, 05 Mar 2026 04:05:44 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5332286908870742478==" --===============5332286908870742478== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D38365 --- Comment #258 from David Cook --- (In reply to Jonathan Druart from comment #253) > > > 7. When enabled, I see an error in the browser's console: > > > Content-Security-Policy: The page=E2=80=99s settings blocked the loadin= g of a > > > resource (media-src) at data: because it violates the following directi= ve: > > > =E2=80=9Cdefault-src 'self'=E2=80=9D > >=20 > > That's interesting. I'd like to hear more about this one. Were there > > additional details? I wonder if it had to do with audio when doing a > > checkout or something? >=20 > No idea! There is nothing else! Don't you see it? Nope! I haven't been able to find it. I don't see it anywhere. Does it happen on a particular page? > Ok, however I found more: > Caught by the xt tests (and now by add_csp_nonces.pl as well) > * t/lib/plugins/Koha/Plugin/TestValuebuilder/test_valuebuilder_popup.tt So this is an interesting one. I will upload a patch for this one, but it's going to work differently to what you might expect. I'll explain more in my response to your comment about cataloguing plugins.=20 (To test this one, you'll want to run `prove t/db_dependent/Koha/Plugins/Valuebuilder_hooks.t`) > And those ones when testing the UI: > * cataloguing/value_builder/* (oops, all cataloguing plugins are broken) > We might need to adjust the xt test and add_csp_nonces.pl to caught those > files as well. So these aren't actually broken. When I was first working on the patches, I thought they would be, but the script tags are actually already re-written by Koha/FrameworkPlugin.pm, so it adds the nonce to them. If you try out the cataloguing plugins, they should all work without any violation reports. See the patch labelled "Bug 38365: Fix nonce caching and add to framework plugin scripts". I think an argument could be made for fixing them a different way... and you just reminded me of why I used an ENV variable initially. It was for this. Wh= en the plugins get launched the CGI context gets re-set which is why I lost the cached values, but the ENV variable would persist and the package level variable are fine.=20 > Also wondering if this one won't require adjustment: > misc/devel/tidy.pl:172 $content =3D~ s#\n*( > *)