User tests: Successful: Unsuccessful:
Issue warnings when unsafe-inline or unsafe-eval are used in auto mode
You get a warning as this bypasses the CSP
You get no info about that bypass.
Yes.
https://help.joomla.org/proxy?keyref=Help40:Components_CSP_Reports_Options && https://help.joomla.org/proxy?keyref=J4.x:Http_Header_Management
Warnings / Message text based on https://csp-evaluator.withgoogle.com/
'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().
Status | New | ⇒ | Pending |
Category | ⇒ | Administration com_csp Language & Strings |
Labels |
Added:
?
?
?
|
Ah I see I get the message also in the reverse order, when I publish the reports and then change the mode. I get them with mode change then. Makes sense to me and I think it is right.
I have tested this item
Done.
I have tested this item
I changed the image in Help4.x:Components CSP Reports Options, also appearing in J4.x:Http Header Management, for one showing the message and a list of reports.
Status | Pending | ⇒ | Ready to Commit |
RTC
Labels |
Added:
?
|
Status | Ready to Commit | ⇒ | Pending |
Back to pending.
Labels |
Removed:
?
|
I have tested this item
One more test needed.
I have tested this item
Status | Pending | ⇒ | Ready to Commit |
RTC
Status | Ready to Commit | ⇒ | Fixed in Code Base |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-06-16 20:25:40 |
Closed_By | ⇒ | wilsonge | |
Labels |
Added:
?
|
Thanks!
@zero-24 Is it correct that I first have to change the mode from "Detect" to "Automatic" before publishing the reports? When still in detect mode I don't get the new warnings. If this is correct, then your PR works as intended.