com_connect icon indicating copy to clipboard operation
com_connect copied to clipboard

Published 20 hours ago verified publisher icon textpattern

CSP blocks the `delay` script block

Open phiw13 opened this issue 1 year ago • 3 comments

Textpattern 4.9dev, plugin version:4.9.0-beta.

Relevant CSP setting: script-src-elem 'strict-dynamic' '<txp:smd_token name="csp_token" prefix="nonce-" />'

Add a honeypot field to the form: <txp:com_connect_text hidden label="" name="r_u_human" default="yes" expected="yes" delay="6" required="0" />

The script block as inserted

<script>document.addEventListener("DOMContentLoaded", () => {
    let theForm = document.getElementById('com31f8a29dd4f03ba39d7ddc447d33add7');
    theForm.addEventListener("focusin", (ev) => {
    setTimeout(function() {
    let fedadccecfb = document.getElementById("com31f8a29dd4f03ba39d7ddc447d33add7");
    fedadccecfb.insertAdjacentHTML('beforeend', '<input class="comText" id="r_u_human" name="r_u_human" type="text" value="yes" maxlength="100" form="com31f8a29dd4f03ba39d7ddc447d33add7" hidden>');
}, (["6"][["6"].length * Math.random() | 0]) * 1000);
}, { once: true })
});</script>

The browser blocks this as no nonce is specified.

Expected: <script nonce="xxxxxx">…</script>

Result: on submitting the form it is treated as spam.

phiw13 avatar Sep 02 '24 06:09 phiw13