Opened 3 months ago
Closed 3 months ago
#2327 closed enhancement (fixed)
Implement a way for HTML files to relax the Content Security Policy and allow inline javascript
Reported by: | Nicklas Nordborg | Owned by: | everyone |
---|---|---|---|
Priority: | major | Milestone: | BASE 3.19.13 |
Component: | web | Version: | |
Keywords: | Cc: |
Description
The use case is that an analysis step in Reggie (https://baseplugins.thep.lu.se/ticket/1606) is using the Mirtrace program (https://github.com/friedlanderlab/mirtrace) which, among other things, generates a html report that draw plots using inline javascript.
The default CSP settings in BASE will not allow the javascript to execute and we do not want to change the global configuration to allow inline scripts.
Suggested solution is that we set the MIME type of the HTML file to text/html+javascript
. The download servlet can detect that and change the MIME type to text/html
and also add script-src 'self' 'unsafe-inline'
to the CSP header.
This functionality should be under a configuration option in base.config
that should be disabled by default.
In 8233: