Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#45770] - Http Headers plugin. Nonces on Category List block two inline scripts

No Code Attached Yet
avatar frtogh
frtogh
23 Jul 2025

Steps to reproduce the issue

J!5.3.2. - current Firefox or MS Edge.
After activating the CSP in the plugin SYSTEM - HTTP HEADER, on the front-end the following options of the article list of a category stop working:

  1. change order of columns title
  2. selection different number of articles to display for a page

and the browser inspector tool confirm two blocks for inline scripts in conflict with CSP.

Related #37799

  1. Configure plugin "Http Headers" > "Content-Security-Policy (CSP)"
    Client: Site
    Nonce: Yes
    Add a "Policy Directive" for "Client: Site"
    script-src: {nonce} 'self' 'unsafe-inline'
  2. Create a frontend menu item of type "Category List" for a article category with more than 5 articles connected.
  3. In category settings (list) of the back end verify that is activated the option to make visible the title of columns and is selected a value grater than 5 in the scroll box for the number of articles to display per page. So you can check changes if you modify them in front end.
  4. Open menu item in frontend with a recent browser (tested with Firefox and Ms Edge)
  5. click on column's title for modify the order of articles listed in the page
  6. click on scroll box for modify the number of articles listed in the page (select a value less the current or greater only if the number of articles connected to the category is greater than the current value of the box).

Expected result

  1. the selection of a different order in column's title causes a consistent change in the page's article list
  2. the selection of different value in the scroll out box for the number of articles per page causes a consistent change in the page's article list
  3. no errors are reported by browser inspector tool.

Actual result

  1. nothing change if you modify the order of articles listed in the page clicking on column's title
  2. nothing change if you select a different value in the scroll box of the number of articles to list in the page
  3. browser inspector reports two errors for CSP conflict with inline scripts (blocked).

System information (as much as possible)

  • J!5.3.2.
  • PHP 8.3
  • current Firefox or MS Edge
  • Cassiopeia template
  • External extensions/plugins:
    1. JCE
    2. Securitycheck.

Additional comments

Firefox's inspector tool reports blocks for these instructions:

  1. this.form.submit()
  2. onclick="Joomla.tableOrdering...
avatar frtogh frtogh - open - 23 Jul 2025
avatar frtogh frtogh - change - 23 Jul 2025
Labels Removed: ?
avatar joomla-cms-bot joomla-cms-bot - change - 23 Jul 2025
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 23 Jul 2025
avatar brianteeman
brianteeman - comment - 24 Jul 2025

looks like #39730 needs to be applied to the frontend lists and not just the admin

avatar Satish-Medar
Satish-Medar - comment - 24 Aug 2025

@brianteeman I’m happy to work on this issue. Could you please assign it to me?

Add a Comment

Login with GitHub to post a comment