Fix CSP issue when viewing marketplace plugin details #18215
Conversation
sgiehl
added
Needs Review
| @@ -57,6 +57,10 @@ public function home() | |||
| $isFeedbackEnabled = Plugin\Manager::getInstance()->isPluginLoaded('Feedback'); | |||
| $widgetsList = WidgetsList::get(); | |||
|
|
|||
| if ($isInternetEnabled && $isMarketplaceEnabled) { | |||
There was a problem hiding this comment.
should this be done directly in the widget? I suppose similar issue would happen when adding a marketplace widget to the dashboard? I suppose it might not work as the widget is rendered in a separate request?
We might need to also check if the marketplace is being viewed in the reporting UI eg in a dashboard
There was a problem hiding this comment.
Exactly. That doesn't work as it's another request. We could actually always add it if such a widget can be added to dashboard
There was a problem hiding this comment.
I have checked the marketplace widgets for the dashboard. Both don't seem to show any images. So shouldn't be needed to add a CSP there.
There was a problem hiding this comment.
@sgiehl they show for me eg when clicking on "more details"
Also when clicking on the left menu on "Marketplace" then there may be screenshots shown when getting details
Maybe when Marketplace is enabled, then *.matomo.org always need to be allowed in the reporting page?
There was a problem hiding this comment.
ah. sure. Should be fixed now.
|
works 👍 |
Description:
When viewing the admin page, which contains a widget showing details on new plugins, or when opening the plugin details of a plugin, there is currently a CSP report shown:
To avoid this I've added
*.matomo.orgtoimg-src.In addition premium plugins are loading the reviews from shop.matomo.org. This would also fail in the future, so added
*.matomo.orgtodefault-srcas well.refs #17923
Review