CSP error in some browsers

somogyi 2022-04-13 17:00:05 UTC #1

Hi,

First:
Egroupware install type: Docker
Version: 21.1.20220408

Some browsers report in console, that some script blocked, because missing CSP directives.

Safari: Refused to execute a script because its hash, its nonce, or ‘unsafe-inline’ does not appear in the script-src directive of the Content Security Policy. (index.php:0)

Seamonkey: Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://SITE ‘unsafe-eval’”). Source: onfocusin attribute on DIV element. (index.php)

Firefox: Blocked inline („script-src”)

Chrome does not show any errors that related to this.

Can you help with this?

Thank you!

BR,
Z

RalfBecker 2022-04-16 06:04:48 UTC #2

You can safely ignore that error.

We have an event-handler bound on that events, which get successful triggered and stops the propagation / calling the handler in the on* attribute. Some browsers still mark that as an error.

Ralf

somogyi 2022-04-16 06:24:01 UTC #3

Hi Ralf!

Thank you for your answer.
Okay we will ignore this error in console.

Can it cause that Seamonkey browser does not load applications content? Only an empty page loaded with sidebar and header content.

Screenshot attached.

Thank you!
BR,
Z

RalfBecker 2022-04-18 06:25:22 UTC #4

Sorry, we are not regularly testing with SeaMonkey.

If I find some time the next days, I might have a look …

Ralf

RalfBecker 2022-04-18 06:32:21 UTC #5

I think I know what the problem is: latest SeaMonkey is compatible with FF 60.8, which does NOT work with our latest release.

Hadi already commited a fix, but due to no one complained so far, we have not released it and it will come with the next maintenance release.

But be warned, current SeaMonkey will no longer work with the next EGroupware version, due to our updated JavaScript requirements.

Ralf

somogyi 2022-04-18 06:50:26 UTC #6

Thank you for your time Ralf!