KoolReport's Forum

Official Support Area, Q&As, Discussions, Suggestions and Bug reports.
Forum's Guidelines

Removing "unsafe-inline" from your Content Security Policy (CSP) header - causes issues with KoolReport #3433

Open Neha Gupta opened this topic on on Apr 11 - 1 comments
Neha Gupta commented on Apr 11

We are using KoolReport version 3.25.4 with Cakephp version 3.9 One of the issues called out during Application Security Review is making the Content Security Policy (CSP) header more secure by removing "unsafe-inline" from script-src

This causes our reports to break since KoolReports has quite a few inline javascripts. We would like to use "nonce" based CSP like we do for our other inline scripts but I dont know how to pass the nonce in KoolReport - Kindly guide us regarding the same.

Thanks, Neha

David Winterburn commented on Apr 14

We will find a good solution for this inline script CSP issue for KoolReport widgets. Meanwhile you could try the following work around to add nonce attribute to KoolReport script tag like this:

<?php
// index.php
require_once "MyReport.php";
$report = new MyReport;
$content = '';
$content .= $report->run()->render(true); // add true to return a report output instead of output it directly

require_once "path/to/MyReport2.php";
$report2 = new MyReport2;
$content .= $report2->run()->render(true); 


$content = str_replace('<script type="text/javascript"', '<script type="text/javascript" nonce="416d1177-4d12-4e3b-b7c9-f6c409789fb8"', $content); // replace this nonce value with yours

echo $content;

Build Your Excellent Data Report

Let KoolReport help you to make great reports. It's free & open-source released under MIT license.

Download KoolReport View demo
None yet
None

Designed and built with by KoolPHP Inc.

Code licensed MIT.