WEBUI-1282: Allow Content Security Policy without script-src data

nuxeo · Dec 12, 2024 · 3c2402f · 3c2402f
1 parent 504c09b
commit 3c2402f
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 26 deletions.
diff --git a/storybook/src/elements/nuxeo-actions-menu/nuxeo-actions-menu.stories.js b/storybook/src/elements/nuxeo-actions-menu/nuxeo-actions-menu.stories.js
@@ -28,7 +28,7 @@ storiesOf('UI/nuxeo-actions-menu', module).add('Default', () => {
     <nuxeo-actions-menu>
       ${list.map(
         (i) => html`
-          <nuxeo-link-button href="javascript:void(0)" icon=${i} label=${i}> </nuxeo-link-button>
+          <nuxeo-link-button href="#" icon=${i} label=${i}> </nuxeo-link-button>
         `,
       )}
     </nuxeo-actions-menu>

diff --git a/ui/import-href.js b/ui/import-href.js
@@ -104,12 +104,14 @@ export const importHref = function(href, onload, onerror, optAsync) {
  */
 export const importHTML = (html) => {
   const tmpl = document.createElement('template');
+  const nuxeoNonceValue = Nuxeo && Nuxeo.UI && Nuxeo.UI.config && Nuxeo.UI.config.nonce || ''
   tmpl.innerHTML = html;
   [...tmpl.content.children].forEach((el) => {
     if (el.tagName === 'SCRIPT' && !el.src) {
       const script = document.createElement('script');
       [...el.attributes].forEach((attr) => script.setAttribute(attr.name, attr.value));
       script.setAttribute('src', `data:text/javascript;charset=utf-8,${encodeURIComponent(el.textContent)}`);
+      script.setAttribute("nonce", nuxeoNonceValue);
       el = script;
     }
     document.head.appendChild(el);

diff --git a/ui/nuxeo-aggregation/nuxeo-checkbox-aggregation.js b/ui/nuxeo-aggregation/nuxeo-checkbox-aggregation.js
@@ -187,7 +187,9 @@ import { AggregationBehavior } from './nuxeo-aggregation-behavior.js';
                     </template>
                   </dom-repeat>
                   <span hidden$="[[_hideShowMoreButton(buckets, visibleItems)]]" class="show-more-button">
-                    <a href="javascript:void(0);" on-tap="_toggleShow"> [[_computeShowMoreLabel(_showAll, i18n)]] </a>
+                    <a href="#" on-tap="_toggleShow">
+                      [[_computeShowMoreLabel(_showAll, i18n)]]
+                    </a>
                   </span>
                 </template>
               </dom-if>
@@ -280,7 +282,8 @@ import { AggregationBehavior } from './nuxeo-aggregation-behavior.js';
       return `hardware:keyboard-arrow-${opened ? 'up' : 'down'}`;
     }
 
-    _toggleShow() {
+    _toggleShow(e) {
+      e.preventDefault();
       this._set_showAll(!this._showAll);
     }
 

diff --git a/ui/nuxeo-filter.js b/ui/nuxeo-filter.js
@@ -18,7 +18,6 @@ limitations under the License.
 import '@polymer/polymer/polymer-legacy.js';
 
 import '@nuxeo/nuxeo-elements/nuxeo-element.js';
-import { config } from '@nuxeo/nuxeo-elements';
 import { Debouncer } from '@polymer/polymer/lib/utils/debounce.js';
 import { microTask } from '@polymer/polymer/lib/utils/async.js';
 import { enqueueDebouncer } from '@polymer/polymer/lib/utils/flush.js';
@@ -185,29 +184,25 @@ import Interpreter from './js-interpreter/interpreter.js';
       let res = false;
 
       try {
-        if (!config.get('expressions.eval', true)) {
-          const js = new Interpreter(expression, (interpreter, scope) => {
-            // set scope
-            interpreter.setProperty(scope, 'this', interpreter.nativeToPseudo(FiltersBehavior));
-            Object.entries({ document, user }).forEach(([k, obj]) => {
-              const v = {};
-              // filter out private properties
-              Object.getOwnPropertyNames(obj)
-                .filter((p) => !p.startsWith('_'))
-                .forEach((p) => {
-                  v[p] = obj[p];
-                });
-              interpreter.setProperty(scope, k, interpreter.nativeToPseudo(v));
-            });
-            // XXX: 'this' in the scope of native functions is the interpreter instance
-            Object.assign(interpreter, FiltersBehavior);
+        const js = new Interpreter(expression, (interpreter, scope) => {
+          // set scope
+          interpreter.setProperty(scope, 'this', interpreter.nativeToPseudo(FiltersBehavior));
+          Object.entries({ document, user }).forEach(([k, obj]) => {
+            const v = {};
+            // filter out private properties
+            Object.getOwnPropertyNames(obj)
+              .filter((p) => !p.startsWith('_'))
+              .forEach((p) => {
+                v[p] = obj[p];
+              });
+            interpreter.setProperty(scope, k, interpreter.nativeToPseudo(v));
           });
-          js.run();
-          res = js.value;
-        } else {
-          const fn = new Function(['document', 'user'], `return ${expression};`);
-          res = fn.apply(this, [document, user]);
-        }
+          // XXX: 'this' in the scope of native functions is the interpreter instance
+          Object.assign(interpreter, FiltersBehavior);
+        });
+        js.run();
+        res = js.value;
+
         return res;
       } catch (err) {
         console.error(`${err} in <nuxeo-filter> expression "${expression}"`);