CMS MADE SIMPLE FORGE

CMSMSExt

 
Back Back to List

[#12748] addition to jsloader to allow to use CSP nonce with xtjs_render

avatar
Created By: Ludger Merkens (lume)
Date Submitted: 2024-08-21 08:47

Assigned To: Fernando Morgado (JoMorg)
Resolution: None
State: Open
Summary:
addition to jsloader to allow to use CSP nonce with xtjs_render
Detailed Description:
The HTTP Content-Security-Policy (CSP) script-src directive specifies valid
sources for JavaScript. This includes not only URLs loaded directly into
<script> elements, but also things like inline script event handlers (onclick)
and XSLT stylesheets which can trigger script execution.

One of the supported security mechanisms is, to state a random one time value (a
nonce) in a http header like:

Content-Security-Policy: script-src 'nonce-2726c7f26c'

or in a <meta http-equiv="Content-Security-Policy" content="script-src
'nonce-2726c7f26c'">
tag and refer to this "nonce" when including script tags like:

<script nonce="2726c7f26c"> .... </script>

to enable this option with {xtjs_render} i changed file
CMSMSExt/lib/jsloader/class.jsloader.php around line 607
from

$js_fmt = '<script src="%s"></script>';

to:

      if (isset($options['nonce'])) {
$js_fmt = '<script '."nonce=\"{$options['nonce']}\" ".'src="%s"></script>';
      	  } else {
      	  	  $js_fmt = '<script src="%s"></script>';
      	  }

since arguments passed to {xtjs_render} are already stored in $options most
parts of the handling are already in place.
It still might be interesting to find a more general aproach to allow for async
loading and similar features.


cheers
Ludger

History

Comments
avatar 
Date: 2024-09-17 11:46
Posted By: Ludger Merkens (lume)

What would be needed to follow up on this? (How) can I help?
avatar 
Date: 2024-11-13 07:03
Posted By: Fernando Morgado (JoMorg)

Sorry, the forrge email system has been broken and we missed a few messages.
I'll look at this asap
Updates

Updated: 2024-08-22 08:18
resolution_id: => 5
assigned_to_id: 100 => 12532