Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove inline javascript to comply with some CSP #134

Closed
mossroy opened this issue Dec 31, 2021 · 0 comments · Fixed by #152
Closed

Remove inline javascript to comply with some CSP #134

mossroy opened this issue Dec 31, 2021 · 0 comments · Fixed by #152
Assignees
@pavel-karatsiuba
Labels
bug enhancement good first issue
Milestone
2.3.0

Comments

@mossroy
Copy link

mossroy commented Dec 31, 2021

https://download.kiwix.org/zim/phet/phet_fr_2021-08.zim can not be used inside a Chrome/Chromium extension, because of the CSP the browser engine enforces.

The main page loads, but you're stuck on it as no category is displayed :

image

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-h1G5vTT/RuoHFKih3ibsUNr2b7WX7UpZMbYt5ioKXWc='), or a nonce ('nonce-...') is required to enable inline execution.

It is (at least) because of this inline javascript :

<script>
	window.importedData = (...)

	window.lsPrefix = 'kiwix';

	lsPrefix = "phet_fr_2021-08";

</script>

This inline javascript (and any other inline javascript) should be moved inside a javascript file to be compatible with the CSP.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pavel-karatsiuba pavel-karatsiuba

Labels
bug enhancement good first issue
Projects
None yet
Milestone
2.3.0
Development

Successfully merging a pull request may close this issue.

Remove inline Javascript openzim/phet
3 participants
@mossroy @kelson42 @pavel-karatsiuba