Opened 3 months ago

Closed 3 months ago

#2327 closed enhancement (fixed)

Implement a way for HTML files to relax the Content Security Policy and allow inline javascript

Reported by: Nicklas Nordborg Owned by: everyone
Priority: major Milestone: BASE 3.19.13
Component: web Version:
Keywords: Cc:

Description

The use case is that an analysis step in Reggie (https://baseplugins.thep.lu.se/ticket/1606) is using the Mirtrace program (https://github.com/friedlanderlab/mirtrace) which, among other things, generates a html report that draw plots using inline javascript.

The default CSP settings in BASE will not allow the javascript to execute and we do not want to change the global configuration to allow inline scripts.

Suggested solution is that we set the MIME type of the HTML file to text/html+javascript. The download servlet can detect that and change the MIME type to text/html and also add script-src 'self' 'unsafe-inline' to the CSP header.

This functionality should be under a configuration option in base.config that should be disabled by default.

Change History (1)

comment:1 by Nicklas Nordborg, 3 months ago

Resolution: fixed
Status: newclosed

In 8233:

Fixes #2327: Implement a way for HTML files to relax the Content Security Policy and allow inline javascript

Added a configuration option to base.config:

# Enable this option to enable inline javascript in HTML files that
# are tagged with a MIME type of text/html+javascript
enable.html+javascript = 0

If this option is enabled and file with MIME type text/html+javascript is downloaded then script-src 'self' 'unsafe-inline' will be added the Content Security Policy header.

The MIME type will always be changed to text/html.

Note: See TracTickets for help on using tickets.