[Bug 42276] New: CookieConsentedJS is loaded using unsafe method incompatible with CSP
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42276 Bug ID: 42276 Summary: CookieConsentedJS is loaded using unsafe method incompatible with CSP Initiative type: --- Sponsorship --- status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org In cookieconsent.js the Javascript from CookieConsentedJS is loaded and run using the following lines: const code = atob($(this).data("consent-code")); const func = Function(code); func(); While Function isn't as bad as eval(), for Content-Security-Policy it blocks it in the same way. That is, it requires unsafe-eval to be set in order to use it. Obviously, we want to avoid that when using CSP (bug 38365). -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42276 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de, | |martin.renvoize@openfifth.c | |o.uk -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42276 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- Realistically, we shouldn't allow adding Javascript from the web UI. It's a nightmare from a security perspective. But Koha tries to be all things to all people... -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42276 --- Comment #2 from David Cook <dcook@prosentient.com.au> --- I got side tracked with some other things, but I'm sure we can come up with a better strategy for this one. At the moment, I'm thinking about a server-side generated JS object with the consent JS as separate methods keyed off IDs specific to the cookie consents. But I'd like to put a bit more thought into it still... which will be a bit tricky over the next couple weeks, but I'm not sure that we're in a huge rush on this one. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org