Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove inline javascript to comply with some CSP #168

Closed
mossroy opened this issue Mar 4, 2022 · 3 comments · Fixed by #174
Closed

Remove inline javascript to comply with some CSP #168

mossroy opened this issue Mar 4, 2022 · 3 comments · Fixed by #174
Assignees
@benoit74
Milestone
v1.1.0

Comments

@mossroy
Copy link

mossroy commented Mar 4, 2022

Tested with https://download.kiwix.org/zim/mooc/phzh_core-english-one_en_2021-07.zim

There are many inline javascripts, that should be moved to javascript files:

<script>
      window.MathJax = {
...
      };
</script>

<script type="text/javascript">
    // Activating Mathjax accessibility files
    window.MathJax = {
        menuSettings: {
            collapsible: true,
            autocollapse: true,
            explorer: true
        }
    };
</script>

<script type="text/javascript">
        /* immediately break out of an iframe if coming from the marketing website */
        (function(window) {
          if (window.location !== window.top.location) {
            window.top.location = window.location;
          }
        })(this);
      </script>

<script>
    window.baseUrl = "/static/";
    (function (require) {
      require.config({
          baseUrl: window.baseUrl
      });
    }).call(this, require || RequireJS.require);
  </script>

<script type="text/javascript">
        (function (require) {
          require.config({
              paths: {
...
            }
          });
        }).call(this, require || RequireJS.require);
    </script>

<script type="text/javascript">
  var analytics = {
    track: function() { return; },
    trackLink: function() { return; },
    pageview: function() { return; },
    page: function() { return; }
  };
</script>

<script type="text/javascript">
  var _paq = window._paq || [];
  /* tracker methods like "setCustomDimension" should be called before "trackPageView" */
  _paq.push(['trackPageView']);
  _paq.push(['enableLinkTracking']);
  (function() {
    var u="//matomo.swissmooc.ch/";
    _paq.push(['setTrackerUrl', u+'matomo.php']);
    _paq.push(['setSiteId', '4']);
    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
    g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
  })();
</script>

<script type="text/javascript">
    // Fast Preview was introduced in 2.5. However, it
    // causes undesirable flashing/font size changes when
    // MathJax is used for interactive preview (equation editor).
    // Setting processSectionDelay to 0 (see below) fully eliminates
    // fast preview, but to reduce confusion, we are also setting
    // the option as displayed in the context menu to false.
    // When upgrading to 2.6, check if this variable name changed.
    window.MathJax = {
      menuSettings: {CHTMLpreview: false}
    };
</script>

<script type="text/javascript">
        (function (require) {
            require(['js/courseware/courseware_factory'], function (CoursewareFactory) {
                
    CoursewareFactory();
  
            });
        }).call(this, require || RequireJS.require);
    </script>

<script type="text/javascript">
    var $$course_id = "course\u002Dv1:PHZH+W\u002DIB+2019_E";
  </script>

<script type="text/javascript">
  function menuMobile(){
    var links_header = $('.main div a');
    var container_link = '<div class="mobile-nav-item dropdown-item dropdown-nav-item menu-dropdown-show"></div>';
    
    links_header.each(function (index) {
      var clone_element = $(this).clone();

      $('.dropdown-user-menu').prepend($(container_link).html(clone_element[0]));
    });
  }
  $(document).ready(menuMobile);
</script>

<script>
window.addEventListener("load", function(){
  window.cookieconsent.initialise({

    window: '<div dir="ltr" role="dialog" tabindex="-1" id="cookiepopup" aria-label="cookieconsent" class="cc-window {{classes}}"><!--googleoff: all-->{{children}}<!--googleon: all--></div>',

    palette:{
      popup: {background: "#323538", text: "#ffffff"},
      button: {background: "#005379", text: "#ffffff"},
    },
    "content": {
      "message": "This website uses cookies to ensure you get the best experience on our website. If you continue browsing this site, we understand that you accept the use of cookies.",
      "dismiss": "Got it!",
      "link": "Learn more",
    },
    theme: "classic",
    "elements": {
        "dismiss": '<a aria-label="dismiss cookie message" id="dismiss" role=button tabindex="2" class="cc-btn cc-dismiss:focus">{{dismiss}}</a>',
    },
    "position": "bottom",
    "static": "true",
    "onStatusChange": function( status, before ) {
      if( status === 'dismiss' ) {
        $.get('/cookieconsent-set-http-cookie');
      }
    }
  },
  function(popup){

    $(".cc-window").on('keydown', function(event) {
      if (event.keyCode == 27 ){
        popup.close();
      } 
    });

    $("#dismiss").on('keydown', function(event) {
      if (event.keyCode == 13 || event.keyCode == 32 ) {
        popup.onButtonClick(event);
      }
    });  
  });
});
</script>

<script type="text/javascript">
        
    new CourseSock({
        el:'.verification-sock'
    });

      </script>

<script type="text/javascript">
    window.footerLanguageSelector = {
        handleSelection: function($select) {
            this.setLanguageCookie($select.value, this.refreshPage);
        },

        setLanguageCookie: function(value, callback) {
            var cookie = 'openedx\u002Dlanguage\u002Dpreference=' + value + ';path=/';

            
                cookie += ';domain=.mooc.phzh.ch';
                cookie += ';max-age=1209600';

            document.cookie = cookie;

            callback();
        },

        refreshPage: function() {
            window.location.reload();
        }
    };
</script>

<script type="text/javascript">

 "use strict";
 var bookmark_top = '.bookmark-button-wrapper .bookmark-button';
 var bookmark_bottom = '.sequence-bottom .bookmark-button';
 var target, config, callback, observer, target2, config2, callback2, observer2;

...

</script>

<script type="text/javascript">
function trigger_seq_content_change_behaviour(){
  $('#seq_content').append("<div id='dummy_div'></div>");
  $('#dummy_div').remove();
}

$(window).load(function(){
  trigger_seq_content_change_behaviour();
});
</script>

And some onclick attributes like:

<a aria-expanded="true" class="zim-button-chapter chapter zim-active" onclick="toggle_visibility_submenu(this)" role="button">
@mossroy mossroy mentioned this issue Mar 4, 2022
Closed
@mossroy mossroy mentioned this issue Jun 2, 2022
Closed
11 tasks
@stale
Copy link

stale bot commented Jun 12, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be now be reviewed manually. Thank you for your contributions.

@stale stale bot added the stale label Jun 12, 2022
@mossroy mossroy mentioned this issue Sep 25, 2022
Merged
@Jaifroid
Copy link

Moreover, the scripts seem to break out of our iframe, and navigate the top-level document, which then destroys the Kiwix JS reader. There was a similar case with Stackexchange ZIMs when the new Type 1 ZIM type was introduced, but @rgaudin fixed it.

@stale stale bot removed the stale label Sep 25, 2022
@stale
Copy link

stale bot commented May 26, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be now be reviewed manually. Thank you for your contributions.

@stale stale bot added the stale label May 26, 2023
@benoit74 benoit74 self-assigned this Jul 7, 2023
@stale stale bot removed the stale label Jul 7, 2023
@benoit74 benoit74 mentioned this issue Jul 10, 2023
Merged
@benoit74 benoit74 added this to the v1.1.0 milestone Jul 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@benoit74 benoit74

Labels
None yet
Projects
None yet
Milestone
v1.1.0
Development

Successfully merging a pull request may close this issue.

Move inline JS to regular file + other small fixes openzim/openedx
3 participants
@mossroy @Jaifroid @benoit74