New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[4.0] Issue warnings when unsafe-inline or unsafe-eval are used in auto mode #29602
Conversation
Co-authored-by: Richard Fath <richard67@users.noreply.github.com>
Co-authored-by: Richard Fath <richard67@users.noreply.github.com>
@zero-24 Is it correct that I first have to change the mode from "Detect" to "Automatic" before publishing the reports? When still in detect mode I don't get the new warnings. If this is correct, then your PR works as intended. |
Ah I see I get the message also in the reverse order, when I publish the reports and then change the mode. I get them with mode change then. Makes sense to me and I think it is right. |
I have tested this item ✅ successfully on 701cab1 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602. |
@zero-24 Maybe you should add the step to change mode from "Detect" to "Automatic" to your testing instructions. It is currently missing there. The title of the PR tells it too, so at the end I found it out. But for other testers it's maybe more easy to test then. |
Done. |
I have tested this item ✅ successfully on 701cab1 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602. |
RTC This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602. |
Co-authored-by: Quy <quy@fluxbb.org>
Co-authored-by: Quy <quy@fluxbb.org>
Co-authored-by: Quy <quy@fluxbb.org>
@zero-24 After last corrections I get only with patch applied: |
@Quy Seems you have forgotten to remove the closing bracket, too, in your suggested changes. See my previous review comments and the screenshot. |
Back to pending. This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602. |
Co-authored-by: Richard Fath <richard67@users.noreply.github.com>
Co-authored-by: Richard Fath <richard67@users.noreply.github.com>
I have tested this item ✅ successfully on 38e3442 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602. |
One more test needed. |
I have tested this item ✅ successfully on 38e3442 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602. |
RTC This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602. |
Thanks! |
Summary of Changes
Issue warnings when unsafe-inline or unsafe-eval are used in auto mode
Testing Instructions
Expected result
You get a warning as this bypasses the CSP
Actual result
You get no info about that bypass.
Documentation Changes Required
Yes.
https://help.joomla.org/proxy?keyref=Help40:Components_CSP_Reports_Options && https://help.joomla.org/proxy?keyref=J4.x:Http_Header_Management
Acknowledgements
Warnings / Message text based on https://csp-evaluator.withgoogle.com/
'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().