[Bug 42435] New: Many console errors on addbiblio.tt page after content secure policy
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42435 Bug ID: 42435 Summary: Many console errors on addbiblio.tt page after content secure policy Initiative type: --- Sponsorship --- status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Cataloging Assignee: koha-bugs@lists.koha-community.org Reporter: lucas@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org CC: m.de.rooy@rijksmuseum.nl To recreate: 1. Go to Catloging > New record 2. Use dev tools to look at console 3. See many errors related to CSP -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42435 --- Comment #1 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- My first guess is all the inline onClick events in the addbooks.tt template. There are quire a few. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42435 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |38365 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38365 [Bug 38365] Add Content-Security-Policy HTTP header to HTML responses -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42435 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42435 --- Comment #2 from David Cook <dcook@prosentient.com.au> --- So I'm looking at http://localhost:8081/cgi-bin/koha/cataloguing/addbiblio.pl?frameworkcode= but I'm not seeing any at load time. I would expect there to be some that come up while using the editor though because of inline onclick handlers. Like cloning a tag or deleting a tag. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42435 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |38407 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38407 [Bug 38407] Eliminate event handler attributes in the staff interface -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42435 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- So I see bug 38407 as an umbrella/omnibus bug and we can use reports like these to work our way through the staff interface. The OPAC should be inline script attribute free, but there's still a lot in the staff interface. -- The cataloguing editor is arguably one of the trickier ones, but it shouldn't be too bad. Since HTML elements can be added dynamically, we can't add the event listeners at page load time. So we add the event listener at a higher level (like body or div#addbibliotabs) and then we use e.target in the "e" passed to the event listener handler as the event bubbles up from the click target to a higher level. Julian uses this event delegation in bug 30975. In his code, he uses jQuery's ".on( events [, selector ] [, data ], handler )" syntax. But another way of doing it is to use the native addEventListener (https://developer.mozilla.org/en-US/docs/Web/API/EventTarget/addEventListene...) and use e.target. I like to use e.target.matches('.btn_class') and stuff like that for allowing 1 listener to handle a number of different event delegations. Very useful for dynamically generated HTML. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42435 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- Overall, keep in mind that KTD has report_only mode, but Koha out of the box has CSP disabled. Another thing to note is that these messages are actually just console logs. They're not errors or even warnings. (You can compare what those look like by going into the console and using things like console.warn('warn'); and console.error('error'); -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42435 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Many console errors on |Many console logs on |addbiblio.tt page after |addbiblio.tt page with |content secure policy |Content-Security-Policy in | |report-only mode -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42435 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |dcook@prosentient.com.au |ity.org | --- Comment #5 from David Cook <dcook@prosentient.com.au> --- I haven't had a chance to fully review addbiblio.tt yet, but here are some standouts: - onclick="CloneField - onclick="UnCloneField - onclick="CloneSubfield - onclick="openAuth(this.parentNode.parentNode.getElementsByTagName('input')[1].id,'PERSO_NAME','biblio'); return false;" - onsubmit="return Check();" These all look like they should be fairly easy to do. I can take assignee for now, but I probably won't get to it this week, so happy for someone else to take it if they want. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42435 --- Comment #6 from Owen Leonard <oleonard@myacpl.org> --- authorities.tt, addbiblio.tt, additem.tt, and matching-rules.tt are some of the worst offenders. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org