https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42276 Bug ID: 42276 Summary: CookieConsentedJS is loaded using unsafe method incompatible with CSP Initiative type: --- Sponsorship --- status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org In cookieconsent.js the Javascript from CookieConsentedJS is loaded and run using the following lines: const code = atob($(this).data("consent-code")); const func = Function(code); func(); While Function isn't as bad as eval(), for Content-Security-Policy it blocks it in the same way. That is, it requires unsafe-eval to be set in order to use it. Obviously, we want to avoid that when using CSP (bug 38365). -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.