Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
14.4.6
-
None
-
Unknown
-
Description
Hello.
In 2022, the good practices are to use CSP (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) on our websites.
On my side, I have added the following header to my wiki:
Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval';";
I had to use unsafe-inline because xwiki does use inline scripts (such as: https://github.com/xwiki/xwiki-platform/blob/xwiki-platform-14.4.6/xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-resources/src/main/resources/flamingo/javascript.vm#L43-L237)
I also have to use unsafe-eval because requires.js was complaining.
This configuration is unsecure, which is an issue on its own. But it generates some errors too.
When I browse the home page, I cannot load the Navigation panel. I cannot extend the breadcrumb neither (see the screenshot) - it stays blocked on "loading".
In the console, I can see the following errors:
Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à blob:https://myWebsite.com/4866497b-8f65-48c0-ac39-6052866427af (« script-src »). Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à blob:https://myWebsite.com/3bb739b5-d6ad-434a-a988-d9a94e8a0846 (« script-src »). Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à blob:https://myWebsite.com/4d8e0bd3-9c8e-45f0-89d3-6bb440b8c3e6 (« script-src »).
(I have replaced the true URL by myWebsite.com because the wiki is not public).
