Steps to reproduce the issue
J!5.3.2. - current Firefox or MS Edge.
After activating the CSP in the plugin SYSTEM - HTTP HEADER, on the front-end the following options of the article list of a category stop working:
- change order of columns title
- selection different number of articles to display for a page
and the browser inspector tool confirm two blocks for inline scripts in conflict with CSP.
Related #37799
- Configure plugin "Http Headers" > "Content-Security-Policy (CSP)"
Client: Site
Nonce: Yes
Add a "Policy Directive" for "Client: Site"
script-src: {nonce} 'self' 'unsafe-inline'
- Create a frontend menu item of type "Category List" for a article category with more than 5 articles connected.
- In category settings (list) of the back end verify that is activated the option to make visible the title of columns and is selected a value grater than 5 in the scroll box for the number of articles to display per page. So you can check changes if you modify them in front end.
- Open menu item in frontend with a recent browser (tested with Firefox and Ms Edge)
- click on column's title for modify the order of articles listed in the page
- click on scroll box for modify the number of articles listed in the page (select a value less the current or greater only if the number of articles connected to the category is greater than the current value of the box).
Expected result
- the selection of a different order in column's title causes a consistent change in the page's article list
- the selection of different value in the scroll out box for the number of articles per page causes a consistent change in the page's article list
- no errors are reported by browser inspector tool.
Actual result
- nothing change if you modify the order of articles listed in the page clicking on column's title
- nothing change if you select a different value in the scroll box of the number of articles to list in the page
- browser inspector reports two errors for CSP conflict with inline scripts (blocked).
System information (as much as possible)
- J!5.3.2.
- PHP 8.3
- current Firefox or MS Edge
- Cassiopeia template
- External extensions/plugins:
- JCE
- Securitycheck.
Additional comments
Firefox's inspector tool reports blocks for these instructions:
- this.form.submit()
- onclick="Joomla.tableOrdering...
looks like #39730 needs to be applied to the frontend lists and not just the admin