I am adding V12 Support to one of my extensions but i keep receiving CSP Errors on the Backend.
For example when i want to create a new inline Record. I found this resource but TBH i don’t want to make a degree on the topic before advancing with my task.
The logging is not helpful i see there is an issue but i cant find ANY information on how to fix that. Can’t find help on the web as well.
How am i supposed to fix the issue?
BTW: Is it just me or did V12 brake too many things at once. At this point i am sure my company will lose a lot of money supporting it
By inspecting the Network tab i found out the inline request returned a json with javascript code to be evaluated. Pretty common i guess. The browser refused to eval the code and issued the CSP report.
So it seems you are required to return a JavaScriptModuleInstruction insteadof a plain javascript callback. Found out about that by debugging the source code, the docs are incomplete.
I opened an issue for this missing documentation:
Okay, so i was able to find out about 1 CSP Problem. This is going to be very painful i fear.
Instead of eval’ing JSON as plain JavaScript, I’d suggest to serialize data to JSON on the server side (json_encode($data)) and to parse that string on the client side again (e.g. lat data = JSON.parse('{"hello":"world"}');). Independent of CSP, using JSON.parse successfully mitigates cross-site scripting (and a potential prototype pollution as well).