Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2020-08-11 02:42:07

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,058
Website

TXP-dev and strict CSP rules

Dev now implements a new way of loading CSS and JS admin files, and inline JS blocks, which would allow for stricter CSP rules. The basic functionality seems to work fine, not sure yet about the strict(er) CSP handling as I cannot currently test this on localhost.

Does this also affect the way an admin theme would load custom CSS + JS files (files defined by the end user) and eventually inline CSS or JS blocks ? IOW, will those files (and inline blocks) be subjected to the same mechanism to handle strict CSP rules ?

–^–

The path to those custom CSS + JS files seems to be set in Theme.php, an admin theme can specify a different path in the theme PHP file.

from phw_sandspace.php, courtesy of Makks at the time:

function html_head()
    {
// Specify path for custom CSS + JS - see README for usage instructions.
        $this->cssPath = 'custom';
        $this->jsPath = 'custom';

Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#2 2020-08-11 08:40:01

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,564
Website GitHub Mastodon

Re: TXP-dev and strict CSP rules

That is a good point, will investigate soon. The custom CSS/JS will probably need to use the new UI\Style and UI\Script widgets respectively, so they get the nonce attribute applied to them, which can then be passed by the recommended CSP rules.

Offline

#3 2020-08-11 08:51:57

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,564
Website GitHub Mastodon

Re: TXP-dev and strict CSP rules

OK, I’ve amended dev branch now to also load custom JS/CSS with the new widgets, which should fix this.

Offline

#4 2020-08-11 09:05:39

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,058
Website

Re: TXP-dev and strict CSP rules

philwareham wrote #325290:

OK, I’ve amended dev branch now to also load custom JS/CSS with the new widgets, which should fix this.

Thanks!
One more issue removed.


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#5 2020-08-11 09:31:29

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,058
Website

Re: TXP-dev and strict CSP rules

phiw13 wrote #325293:

One more issue removed.

Hmm, hold on – it helps with really testing:

Fatal error
Uncaught Error: Class 'Textpattern\Admin\Txp' not found in /Users/[username]/Sites/_txptest/textpattern/vendors/Textpattern/Admin/Theme.php:371 Stack trace: #0 /Users/[username]/Sites/_txptest/textpattern/lib/txplib_head.php(165): Textpattern\Admin\Theme->html_head_custom() #1 /Users/[username]/Sites/_txptest/textpattern/include/txp_image.php(80): pagetop('Images', '') #2 /Users/[username]/Sites/_txptest/textpattern/include/txp_image.php(66): image_list() #3 /Users/[username]/Sites/_txptest/textpattern/index.php(228): include('/Users/[username]/S...') #4 {main} thrown in
/Users/[username]/Sites/_txptest/textpattern/vendors/Textpattern/Admin/Theme.php
on line
371

Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#6 2020-08-11 13:13:34

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,564
Website GitHub Mastodon

Re: TXP-dev and strict CSP rules

Really fixed now 😀

Offline

#7 2020-08-11 13:22:16

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,058
Website

Re: TXP-dev and strict CSP rules

philwareham wrote #325298:

Really fixed now 😀

Yay! will do some more (basic) testing tomorrow or so. Thanks.


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

Board footer

Powered by FluxBB