WEBUI-1282: Allow Content Security Policy without script-src data: pa…

…rt 1
nuxeo · Nov 28, 2024 · d96902c · d96902c
1 parent 5513961
commit d96902c
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 23 deletions.
diff --git a/ui/import-href.js b/ui/import-href.js
@@ -104,12 +104,14 @@ export const importHref = function(href, onload, onerror, optAsync) {
  */
 export const importHTML = (html) => {
   const tmpl = document.createElement('template');
+  const nuxeoNonceValue = Nuxeo.UI.config.nonce || ''
   tmpl.innerHTML = html;
   [...tmpl.content.children].forEach((el) => {
     if (el.tagName === 'SCRIPT' && !el.src) {
       const script = document.createElement('script');
       [...el.attributes].forEach((attr) => script.setAttribute(attr.name, attr.value));
       script.setAttribute('src', `data:text/javascript;charset=utf-8,${encodeURIComponent(el.textContent)}`);
+      script.setAttribute("nonce", nuxeoNonceValue);
       el = script;
     }
     document.head.appendChild(el);

diff --git a/ui/nuxeo-filter.js b/ui/nuxeo-filter.js
@@ -18,7 +18,6 @@ limitations under the License.
 import '@polymer/polymer/polymer-legacy.js';
 
 import '@nuxeo/nuxeo-elements/nuxeo-element.js';
-import { config } from '@nuxeo/nuxeo-elements';
 import { Debouncer } from '@polymer/polymer/lib/utils/debounce.js';
 import { microTask } from '@polymer/polymer/lib/utils/async.js';
 import { enqueueDebouncer } from '@polymer/polymer/lib/utils/flush.js';
@@ -185,29 +184,25 @@ import Interpreter from './js-interpreter/interpreter.js';
       let res = false;
 
       try {
-        if (!config.get('expressions.eval', true)) {
-          const js = new Interpreter(expression, (interpreter, scope) => {
-            // set scope
-            interpreter.setProperty(scope, 'this', interpreter.nativeToPseudo(FiltersBehavior));
-            Object.entries({ document, user }).forEach(([k, obj]) => {
-              const v = {};
-              // filter out private properties
-              Object.getOwnPropertyNames(obj)
-                .filter((p) => !p.startsWith('_'))
-                .forEach((p) => {
-                  v[p] = obj[p];
-                });
-              interpreter.setProperty(scope, k, interpreter.nativeToPseudo(v));
-            });
-            // XXX: 'this' in the scope of native functions is the interpreter instance
-            Object.assign(interpreter, FiltersBehavior);
+        const js = new Interpreter(expression, (interpreter, scope) => {
+          // set scope
+          interpreter.setProperty(scope, 'this', interpreter.nativeToPseudo(FiltersBehavior));
+          Object.entries({ document, user }).forEach(([k, obj]) => {
+            const v = {};
+            // filter out private properties
+            Object.getOwnPropertyNames(obj)
+              .filter((p) => !p.startsWith('_'))
+              .forEach((p) => {
+                v[p] = obj[p];
+              });
+            interpreter.setProperty(scope, k, interpreter.nativeToPseudo(v));
           });
-          js.run();
-          res = js.value;
-        } else {
-          const fn = new Function(['document', 'user'], `return ${expression};`);
-          res = fn.apply(this, [document, user]);
-        }
+          // XXX: 'this' in the scope of native functions is the interpreter instance
+          Object.assign(interpreter, FiltersBehavior);
+        });
+        js.run();
+        res = js.value;
+
         return res;
       } catch (err) {
         console.error(`${err} in <nuxeo-filter> expression "${expression}"`);