From bugzilla-daemon@bugs.koha-community.org Thu Mar 5 05:05:44 2026
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 38365] Add Content-Security-Policy HTTP header to
HTML responses
Date: Thu, 05 Mar 2026 04:05:44 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5332286908870742478=="
--===============5332286908870742478==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D38365
--- Comment #258 from David Cook ---
(In reply to Jonathan Druart from comment #253)
> > > 7. When enabled, I see an error in the browser's console:
> > > Content-Security-Policy: The page=E2=80=99s settings blocked the loadin=
g of a
> > > resource (media-src) at data: because it violates the following directi=
ve:
> > > =E2=80=9Cdefault-src 'self'=E2=80=9D
> >=20
> > That's interesting. I'd like to hear more about this one. Were there
> > additional details? I wonder if it had to do with audio when doing a
> > checkout or something?
>=20
> No idea! There is nothing else! Don't you see it?
Nope! I haven't been able to find it. I don't see it anywhere. Does it happen
on a particular page?
> Ok, however I found more:
> Caught by the xt tests (and now by add_csp_nonces.pl as well)
> * t/lib/plugins/Koha/Plugin/TestValuebuilder/test_valuebuilder_popup.tt
So this is an interesting one. I will upload a patch for this one, but it's
going to work differently to what you might expect. I'll explain more in my
response to your comment about cataloguing plugins.=20
(To test this one, you'll want to run `prove
t/db_dependent/Koha/Plugins/Valuebuilder_hooks.t`)
> And those ones when testing the UI:
> * cataloguing/value_builder/* (oops, all cataloguing plugins are broken)
> We might need to adjust the xt test and add_csp_nonces.pl to caught those
> files as well.
So these aren't actually broken. When I was first working on the patches, I
thought they would be, but the script tags are actually already re-written by
Koha/FrameworkPlugin.pm, so it adds the nonce to them. If you try out the
cataloguing plugins, they should all work without any violation reports. See
the patch labelled "Bug 38365: Fix nonce caching and add to framework plugin
scripts".
I think an argument could be made for fixing them a different way... and you
just reminded me of why I used an ENV variable initially. It was for this. Wh=
en
the plugins get launched the CGI context gets re-set which is why I lost the
cached values, but the ENV variable would persist and the package level
variable are fine.=20
> Also wondering if this one won't require adjustment:
> misc/devel/tidy.pl:172 $content =3D~ s#\n*(
> *)