Content Security Policy (CSP)

[likehopper]

The security requirements of web servers are increasing. From now it's recommended to have a "Content-Security-Policy" rule. And generally, it prohibits the execution of inline scripts (unsafe-inline).

However, in Sympa's pages, we have an innline script generated dynamically. And that prevents the menu from working.

For example these include:

        <!-- head_javascript.tt2 -->

	<script>
	<!--
	var sympa = {
	    backText:           'Retour',
	    calendarButtonText: 'Calendrier',
	    calendarFirstDay:   0,
	    closeText:          'Fermer',
	    dayNames:           'Lundi:Mardi:Mercredi:Jeudi:Vendredi:Samedi:Dimanche'.split(":"),
	    dayNamesMin:        'D:L:M:M:J:V:S'.split(":"),
	    home_url:           '/sympa/',
	    icon	s_url:          '/static-sympa/icons',
	    lang:               'fr',
	    loadingText:        'Veuillez patienter...',
	    monthNamesShort:    'Jan:Fév:Mar:Avr:Mai:Jui:Juil:Aoû:Sep:Oct:Nov:Déc'.split(":"),
	    openInNewWinText:   'Ouvrir dans une nouvelle fenêtre',
	    resetText:          'Effacer'
	};
	var lang = 'fr';
	//-->
	</script>

Could you change it to call it from an external file?

Thanks,
Vincent

[ikedas]

There seem some more things to be prohibited by CSP:

• "onclick" event handler in HTML: compose_mail.tt2, request_topic.tt2 and viewmod.tt2.
• inline javascript for email obfuscation generated by setting spam_protection and/or web_archive_spam_protection parameter as javascript.

[likehopper]

Has the code been updated ?

[ikedas]

How can we resolve the points I mentioned?

[ikedas]

Hi @likehopper ,
Could you please apply the changes in PR above and check if the problem will be fixed?