Forum OpenACS Development: Cannot import JQuery

Request notifications

Collapse
Posted by Juan Carlos on

I tried to import jquery using the script tags, but I get this error in the console

Refused to load the stylesheet because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback

What should I do? This wasnt an issue in other projects I worked on.

Collapse
2: Re: Cannot import JQuery (response to 1)
Posted by Gustaf Neumann on
First of all, if you do not want to use CSP, then deactivate it via kernel parameters (set CSPEnabledP to 0), then no CSP checking will be performed, same as ever.

If you want to use CSP, make yourself familiar and read [1]. When including jquery, use always the templating API [2] for including content, and when you want to use a CDN, make sure to allow these external resources via "security::csp::require ...".

When you use the preview version of OpenACS 5.10 (from the oacs-5-10 branch), it is recommended to use URNs [3], which act like an registry for resources, where it can be managed at one place what internal or CDN resources are loaded (e.g. for the rich-text editors), where where some themes might already include certain resources (like jquery in the bootstrap themes).

Note, that several versions of jquery have security problems, such that currently jquery 3.4.0 is recommended. Several people recommend, to avoid jquery when possible (see e.g. [4]).

Hope, this helps.
-gn

[1] https://openacs.org/xowiki/CSP
[2] https://openacs.org/api-doc/procs-file-view?path=packages/acs-templating/tcl/head-procs.tcl
[3] https://openacs.org/xowiki/openacs-todo
[4] http://youmightnotneedjquery.com/