fix: #3577029 CSP violation caused by inline onchange event handler in simplified toolbar switcher (!143) · Merge requests · project / wse

The simplified toolbar switcher renders a element with an inline onchange="this.form.submit();" attribute. Inline event handlers cannot be whitelisted via CSP hashes (per spec), and are blocked by strict CSP policies such as those enforced by the Seckit module.

This branch:

Replaces the inline onchange attribute with a data-wse-workspace-switcher attribute used as a JS hook.
Attaches the new JS file that submits the form through the data-wse-workspace-switcher attribute.
Attaches the new wse/simplified_toolbar_switcher library to the form.
Declares the new library in wse.libraries.yml, pointing to the existing js/wse-simplified-toolbar-switcher.js file.

It's my first contribution with merge request, so don't hesite to tell me if anything wasn't ok.

fix: #3577029 CSP violation caused by inline onchange event handler in simplified toolbar switcher

Merge request reports