[#27297] - [4.0] Content Security Policy should deny style-src 'unsafe-inline' & script-src 'unsafe-eval'
- New
- Medium
- Build: fb716857ba76d37fd53ca1384afb99ccba857ad2
- # 27297
Steps to reproduce the issue
- In the server config, set HTTP header "Content-Security-Policy" "script-src 'self'; style-src 'self'; object-src 'none'".
- Navigate to the web site on that server, with Joomla 4 files unpacked & ready for installation.
Expected result
Functional installation page.
Actual result
Non-functional installation page:
(1) The buttons (such as "Setup Login Data") don't work.
The Console says that core.min.js was blocked (call to eval() or related function blocked by CSP.)
Actually "core.js" contains two unnecessary statements "new Function".
(2) Page elements with style="display:none" don't (and shouldn't) work.
Changing "display" property should be done by adding/removing class, such as .hidden {display:none}
Additional comments
Enforcing safety with proper CSP was agreed upon by Joomla developers for Joomla 4.
So inline styles should be eliminated, as well as "eval()" and "new Function" in js.
joomla-cms-bot
- 
I would add that we're never going to fully support style element - because ultimately all the WYSIWYG editors (tinymce etc) are always going to apply inline styles to element whenever people style their text. I don't think this is easily fixable so as a result - happy to do what we can there but I don't see it as a huge priority.
Fixing the javascript on the other hand is definitely a priority.
richard67
- | Status | New | ⇒ | Confirmed |
Inline style is unavoidable in CMS. Lots of extension developers use (massive) inline style just to position elements dynamically (position: absolute ; left: xx; t etc..)
Using v4 Beta 7: There are errors in the com_csp > config.xml: option value= 'style-' is pointing to script-
| Status | Confirmed | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-05-04 19:41:04 |
| Closed_By | ⇒ | zero-24 |
Inline style is unavoidable in CMS. Lots of extension developers use (massive) inline style just to position elements dynamically
Well you can still use it just pass it via the API that the CMS provides and all issues are gone ;)
But anyway com_csp that was mention here will be gone from 4.0 soon too: #33550
| Status | Closed | ⇒ | New |
| Closed_Date | 2021-05-04 19:41:04 | ⇒ | |
| Closed_By | zero-24 | ⇒ |
Hackwar
- | Labels |
Added:
No Code Attached Yet
bug
Removed: ? |
||
Probably should be closed as com_csp is no more
Quy
- | Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2023-04-10 16:49:19 |
| Closed_By | ⇒ | Quy |
| Status | Closed | ⇒ | New |
| Closed_Date | 2023-04-10 16:49:19 | ⇒ | |
| Closed_By | Quy | ⇒ |
This one is still relevant but applied to the security headers plug-in. We know that JavaScript being disabled breaks the backend hard at the moment. Not sure if there is another issue covering that at the moment though?
I would like to confirm if there will be any issues or abnormalities if only the basic functions of Joomla system are used, and 'unsafe-eval' and 'unsafe-inline' in script-src are rejected, after version 4.4.2?
Thank you!
Partial correction: pull 27298
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/27297.