-
-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mockup requires unsafe-eval
for script-src
rule when configuring CSP header
#1306
Comments
I had a similar problem directly in Patternslib: That's interesting, that underscore has the same problem. It's necessary to fix this problem. I didn't know about https://github.com/silvermine/undertemplate but I think it's fine to use it to get rid of the CSP error and move forward. |
Sorry, I never had this one. But undertemplate looks good as we might get rid of |
@thet Well, I started replacing |
While migrating |
@frapell looks like undertemplate does not support conditional statements like There is ejs, which looks similar in syntax, but I think it has the same CSP problem: https://github.com/mde/ejs |
@thet Right, the problem is with evaluating JS code within the template, which you cannot do in undertemplate nor moustache, and yeah, ejs seems to have the same issue mde/ejs#468 I don't really see other way around than using a templating lib that doesn't allow JS evaluation, and do all our logic in code, and not the templates. That does remove flexibility into being able to change the template used for rendering the widget, but then again, is anyone really doing it? |
@petschki Didn't know you were working on that, it could be a good opportunity to strip out |
I do 🫣 https://github.com/collective/collective.behavior.relatedmedia/blob/main/collective/behavior/relatedmedia/resources/relateditems_selection.xml ... sorry 😉 |
But that's all obsolete when we come up with a new relateditems solution, which I'm really lookging forward to! |
This can be reproduced as follows:
docker-compose.yml
with this contents:nginx.conf
with this:/etc/hosts
and configuretest_csp.plone.com
to point at127.0.0.1
8080
and create an emptyClassic Plone site
docker-compose.yml
andnginx.conf
rundocker compose up
At this point, you should be able to open your browser and point to http://test_csp.plone.com/ to reach your site. If you try to login by opening the login modal, you will not be able to, and you can see an error message in the developer tools
Now, if you edit the
nginx.conf
and change the lineTo this
Then kill
nginx
and rundocker compose up
, you can now see the login modal and everything works fine.This issue is related to jashkenas/underscore#906 and jashkenas/underscore#2273 (Which basically are the same issue).
I don't know if this can be exploited in any way, however it is an issue, being that
unsafe-eval
completely blocks the usage of_.template
.On the second issue, an alternative is proposed (https://github.com/silvermine/undertemplate), would moving to this be acceptable?
The text was updated successfully, but these errors were encountered: