Visiting the modules admin (/admin/modules) the console shows this error:
tableheader.js?osdq8l:83 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
This happens after activating the Security Kit Module and activating the function -Send HTTP response header- that turns on the Content Security Policy.
If the Module Filter is installed, the modules admin page gets broken.

The way to solve it is to add 'unsafe-eval' to the script-src directive, however it is not recommended.

CommentFileSizeAuthor
#12 drupal-core-2891346-12.patch2.29 KBberliner
#9 drupal-core-2891346-9.patch1.15 KBberliner
#2 drupal-core-2891346-2.patch1.09 KBAyesh
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

jpablus created an issue. See original summary.

Ayesh’s picture

Ayesh CreditAttribution: Ayesh as a volunteer commented
Status: Active » Needs review
FileSize
drupal-core-2891346-2.patch1.09 KB

Good call to remove the eval() call. There are a few more JS eval() calls, and the Drupal.settings expansion that will be blocked with a tight CSP. However, try with the attached patch. It has a small function that executes a given variable from the window object, and return the callbacks return value.

Version: 7.56 » 7.x-dev

Core issues are now filed against the dev versions where changes will be made. Document the specific release you are using in your issue comment. More information about choosing a version.

collinhaines’s picture

collinhaines CreditAttribution: collinhaines commented
Status: Needs review » Reviewed & tested by the community

Confirmed patch is still valid 3 years later. Flawlessly patches in 7.73.

No apparent visible issues with the Module Filter module, any core tables (content overview), nor any view tables (Admin Views, Views).

Bohus Ulrych’s picture

Bohus Ulrych
Location Pilsen (Czechia)
CreditAttribution: Bohus Ulrych commented

Thanks. Seems to be working well. D7 version 7.78

gapple’s picture

gapple
he/they
Primary language English
CreditAttribution: gapple as a volunteer commented
Issue tags: -Content Security Policy Security Kit +Content Security Policy

Haven't tested, but it looks like callHeaderOffsetFunction should return 0 instead of null if the specified function isn't available.

gapple’s picture

gapple
he/they
Primary language English
CreditAttribution: gapple as a volunteer commented
Related issues: +#2783153: [D7] Convert drupalSettings from JavaScript to JSON, to allow for CSP in the future

And there's a patch available for Drupal.settings: #2783153: [D7] Convert drupalSettings from JavaScript to JSON, to allow for CSP in the future

izmeez’s picture

izmeez CreditAttribution: izmeez commented

Added to #3207851: [meta] Priorities for 2021-06-02 release of Drupal 7

berliner’s picture

berliner CreditAttribution: berliner commented
Status: Reviewed & tested by the community » Needs review
FileSize
drupal-core-2891346-9.patch1.15 KB

I had issues in combination with the navbar module where I see these errors in the log (in Brave and chrome, not tested in other browsers so far):

navbar-tableheader.js?v=7.82:28 Uncaught TypeError: Cannot read properties of undefined (reading 'calculateHeight')
    at height (navbar-tableheader.js?v=7.82:28)
    at <anonymous>:1:1

The attached updated patch fixes that issue for me.

Fabianx’s picture

Fabianx CreditAttribution: Fabianx as a volunteer and at Tag1 Consulting commented

This is similar to what we had before, but fixes one more bug.

Let's however also fix overlay.js AND also ensure that while we go through the chain that we always check the typeof before for object or function and return 0 instead of erroring out.

It seems the eval silently failed instead and returned 0.

mcdruid’s picture

mcdruid
Location 🇬🇧🇪🇺
CreditAttribution: mcdruid at Acquia commented

https://git.drupalcode.org/project/drupal/-/blob/7.82/modules/overlay/ov...

...is the other place we spotted some very similar code that should be fixed at the same time.

berliner’s picture

berliner CreditAttribution: berliner commented
FileSize
drupal-core-2891346-12.patch2.29 KB

Updated the patch from #9 based on the comments from #10 and #11.

poker10’s picture

poker10 CreditAttribution: poker10 at ActivIT s.r.o. commented
Status: Needs review » Reviewed & tested by the community

I have tested the patch #12 and it seems to work correctly (with and without overlay). Errors from the console are gone. I have found two small issues (probably could be fixed on commit).

1. Inconsistent usage of quotes (single vs double)
2. Strict vs loose comparison (probably we should use strict comparison on both places as it is used in jQuery libraries)

Both "problems" are in these two conditions:

if (typeof callback[accessor[i]] != 'function' && typeof callback[accessor[i]] != 'object')

if (typeof callback[accessor[accessor.length - 1]] === "function")

  • mcdruid committed 62faca6 on 7.x 
    Issue #2891346 by berliner, Ayesh, jpablus, gapple, Fabianx, poker10,...
mcdruid’s picture

mcdruid
Location 🇬🇧🇪🇺
CreditAttribution: mcdruid as a volunteer and at Acquia commented
Status: Reviewed & tested by the community » Fixed

I made those changes on commit, thanks @poker10.

Thanks everyone!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.