Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove inline javascript to comply with some CSP #108

Closed
mossroy opened this issue Jan 5, 2022 · 8 comments
Closed

Remove inline javascript to comply with some CSP #108

mossroy opened this issue Jan 5, 2022 · 8 comments
Labels
question Further information is requested
Milestone
1.1.0

Comments

@mossroy
Copy link

mossroy commented Jan 5, 2022

It does not seem to block the main usage, but the following inline javascript seems to be in every page, and is blocked :

    <script type="text/javascript">
        function extend(obj, src) {
            Object.keys(src).forEach(function(key) { obj[key] = src[key]; });
            return obj;
        }

        var vjs_options = {"techOrder": ["html5", "ogvjs"], "ogvjs": {"base": "assets/vendor/ogvjs"}, "controlBar": {"pictureInPictureToggle":false}};
        // mobile safari won't autoplay muted loop webm
        if (/(mobile|iphone|ipad).*safari*/i.test(navigator.userAgent)) { vjs_options.controls = true;}
        document.querySelectorAll('.video-js').forEach(function(video) {
            var options = extend(vjs_options, {preload: ((video.getAttribute("class") || "").indexOf("youtube") != -1) ? 'none': 'auto'});
            videojs(video, options);
        });
    </script>
@rgaudin
Copy link
Member

rgaudin commented Jan 5, 2022

I'll look into it but wikihow is different to other scrapers in that we mostly copy the main chunk of content from the online source and put it into the ZIM.

In other scraper, we usually manually pick what we're interested in and build a custom template from scratch.

Given the very flexible nature of the mediawiki behind wikihow, there can be inline JS inside articles…

@rgaudin rgaudin added the question Further information is requested label Jan 5, 2022
@mossroy mossroy mentioned this issue Jan 5, 2022
Closed
@kelson42
Copy link
Contributor

kelson42 commented Feb 5, 2022
edited
Loading

@rgaudin an we easily secure that our code at least does not have inline js? I’m not sure about the frequency of in,ine js in WikiHow code?

@rgaudin rgaudin closed this as completed in 062ea4d Feb 8, 2022
@rgaudin
Copy link
Member

rgaudin commented Feb 8, 2022

@mossroy I've removed our part but many pages have inline JS. Though it should be mostly harmless to just ignore them.

@mossroy
Copy link
Author

mossroy commented Feb 8, 2022

Thanks!
Let me know when we can test with a new ZIM file

@kelson42
Copy link
Contributor

kelson42 commented Feb 8, 2022

@mossroy I have restarted https://farm.openzim.org/pipeline/3d47bde79fa420ce696d2026

@mossroy
Copy link
Author

mossroy commented Mar 4, 2022

This pipeline has failed.
Do we have another newly-generated wikihow ZIM that would include this fix, so that we can test it with kiwix-s?

@rgaudin
Copy link
Member

rgaudin commented Mar 4, 2022

https://farm.openzim.org/pipeline/29564ac9bd2ef43c1fe70226

@kelson42 kelson42 added this to the 1.1.0 milestone Mar 4, 2022
@mossroy
Copy link
Author

mossroy commented Mar 4, 2022

Thanks @rgaudin ! I confirm the issue is fixed in this wikihow ZIM file.
I could browse the content (including some with videos), and did not see any blocked inline javascript in Chromium console, with kiwix-js as an extension.

By the way, I opened some very similar issues on other scrapers. See the list in kiwix/kiwix-js#789 (comment)
I know it's some work to fix them, but they're really a problem for us on kiwix-js.

@mossroy mossroy mentioned this issue Jun 2, 2022
Closed
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
1.1.0
Development

No branches or pull requests
3 participants
@rgaudin @mossroy @kelson42