[4.0] Issue warnings when unsafe-inline or unsafe-eval are used in auto mode

[zero-24]

Summary of Changes

Issue warnings when unsafe-inline or unsafe-eval are used in auto mode

Testing Instructions

• apply this patch
• switch com_csp in detect mode
• visit the frontend with eval and or inline css usage
• publish the collected reports about unsafe-inine / unsafe-eval
• switch com_csp to auto mode

Expected result

You get a warning as this bypasses the CSP

Actual result

You get no info about that bypass.

Documentation Changes Required

Yes.
https://help.joomla.org/proxy?keyref=Help40:Components_CSP_Reports_Options && https://help.joomla.org/proxy?keyref=J4.x:Http_Header_Management

Acknowledgements

Warnings / Message text based on https://csp-evaluator.withgoogle.com/
'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().

[richard67]

@zero-24 Is it correct that I first have to change the mode from "Detect" to "Automatic" before publishing the reports? When still in detect mode I don't get the new warnings. If this is correct, then your PR works as intended.

[richard67]

Ah I see I get the message also in the reverse order, when I publish the reports and then change the mode. I get them with mode change then. Makes sense to me and I think it is right.

[richard67]

I have tested this item ✅ successfully on 701cab1

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602.}

[richard67]

@zero-24 Maybe you should add the step to change mode from "Detect" to "Automatic" to your testing instructions. It is currently missing there. The title of the PR tells it too, so at the end I found it out. But for other testers it's maybe more easy to test then.

[zero-24]

Done.

[ceford]

I have tested this item ✅ successfully on 701cab1

I changed the image in Help4.x:Components CSP Reports Options, also appearing in J4.x:Http Header Management, for one showing the message and a list of reports.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602.}

[jwaisner]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602.}

[richard67]

@jwaisner Did you notice @Quy 's review comments above?

[richard67]

@zero-24 After last corrections I get only with patch applied:

[richard67]

@Quy Seems you have forgotten to remove the closing bracket, too, in your suggested changes. See my previous review comments and the screenshot.

[richard67]

Back to pending.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602.}

[richard67]

I have tested this item ✅ successfully on 38e3442

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602.}

[richard67]

One more test needed.

[Quy]

I have tested this item ✅ successfully on 38e3442

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602.}

[Quy]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602.}

[wilsonge]

Thanks!