"Test Offline" forces inline scripts, which fail with restrictive CSP header

orbeon / orbeon-forms

Orbeon Forms is an open source web forms solution. It includes an XForms engine, the Form Builder web-based form editor, and the Form Runner runtime.

http://www.orbeon.com/

GNU Lesser General Public License v2.1

514 stars 221 forks source link

"Test Offline" forces inline scripts, which fail with restrictive CSP header #6261

Open ebruchez opened 5 months ago

ebruchez commented 5 months ago

This is at the XForms level. We force the inline mode in that case. Is there any way to fix this for the "Test Offline" mode? When actually on-device, this is not a problem.

ebruchez commented 5 months ago

If the static and dynamic scripts are not inline, they need to be fetched. The way they are fetched right now for online forms is:

static: getting static state from cache
- this could be possible, as we just compiled the form the state might be there
dynamic: getting live document
- this doesn't exist on the server when we run offline

So this won't work for the dynamic script. We might need to look at using a CSP nonce instead.