Is there a TLDR Version vor the CSP Stuff

I am adding V12 Support to one of my extensions but i keep receiving CSP Errors on the Backend.

For example when i want to create a new inline Record. I found this resource but TBH i don’t want to make a degree on the topic before advancing with my task.

The logging is not helpful i see there is an issue but i cant find ANY information on how to fix that. Can’t find help on the web as well.

How am i supposed to fix the issue?

BTW: Is it just me or did V12 brake too many things at once. At this point i am sure my company will lose a lot of money supporting it

By inspecting the Network tab i found out the inline request returned a json with javascript code to be evaluated. Pretty common i guess. The browser refused to eval the code and issued the CSP report.

The javascript code was added because a custom eval rule was used in the child tca

I just don’t know how to fix this issue.

So it seems you are required to return a JavaScriptModuleInstruction insteadof a plain javascript callback. Found out about that by debugging the source code, the docs are incomplete.

I opened an issue for this missing documentation:

Okay, so i was able to find out about 1 CSP Problem. This is going to be very painful i fear.

This issue was a helpful resource for the evaluator problem:

It seems that you found the corresponding changelog item already at Deprecation: #100587 - Deprecate form engine additionalJavaScriptPost and custom eval inline JavaScript

Instead of eval’ing JSON as plain JavaScript, I’d suggest to serialize data to JSON on the server side (json_encode($data)) and to parse that string on the client side again (e.g. lat data = JSON.parse('{"hello":"world"}');). Independent of CSP, using JSON.parse successfully mitigates cross-site scripting (and a potential prototype pollution as well).