Content Security Policy (CSP)

[likehopper]

The security requirements of web servers are increasing. From now it's recommended to have a "Content-Security-Policy" rule. And generally, it prohibits the execution of inline scripts (unsafe-inline).

However, in Sympa's pages, we have an innline script generated dynamically. And that prevents the menu from working.

For example these include:

        <!-- head_javascript.tt2 -->

    <script>
    <!--
    var sympa = {
        backText:           'Retour',
        calendarButtonText: 'Calendrier',
        calendarFirstDay:   0,
        closeText:          'Fermer',
        dayNames:           'Lundi:Mardi:Mercredi:Jeudi:Vendredi:Samedi:Dimanche'.split(":"),
        dayNamesMin:        'D:L:M:M:J:V:S'.split(":"),
        home_url:           '/sympa/',
        icon    s_url:          '/static-sympa/icons',
        lang:               'fr',
        loadingText:        'Veuillez patienter...',
        monthNamesShort:    'Jan:Fév:Mar:Avr:Mai:Jui:Juil:Aoû:Sep:Oct:Nov:Déc'.split(":"),
        openInNewWinText:   'Ouvrir dans une nouvelle fenêtre',
        resetText:          'Effacer'
    };
    var lang = 'fr';
    //-->
    </script>

Could you change it to call it from an external file?

Thanks, Vincent

[ikedas]

There seem some more things to be prohibited by CSP:

• "onclick" event handler in HTML: compose_mail.tt2, request_topic.tt2 and viewmod.tt2.
• inline javascript for email obfuscation generated by setting spam_protection and/or web_archive_spam_protection parameter as javascript.

[likehopper]

Has the code been updated ?

[ikedas]

How can we resolve the points I mentioned?

[ikedas]

Hi @likehopper , Could you please apply the changes in PR above and check if the problem will be fixed?