Content Security Policy prevents the Datahub from functioning correctly #1429
Description
Describe the bug
When visiting https://web.app.ufz.de/datahub and https://web.app.ufz.de/datahub/organisations
The following things fail:
- translations keys containing an expression (e.g. the resource count on the right of the home page)
- thumbnails using inline data URL
Example of errors:
Refused to load the image 'data:image/png;base64,...' because it violates the following Content Security Policy directive: "img-src 'self' 'unsafe-inline' https://*.tile.openstreetmap.org".
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
-
GeoNetwork-UI version used: 4.4.9
-
Application: Datahub
Note: the website has the following header on the HTML response:
Content-Security-Policy
default-src 'self'; script-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline' https://*.tile.openstreetmap.org; style-src 'self' 'unsafe-inline' blob: ; font-src 'self' ; frame-src 'self' *.ufz.de ; child-src 'self' *.ufz.de ; object-src 'none' ; frame-ancestors 'self' https://*.ufz.de ; connect-src 'self'
Expected behaviour
The GeoNetwork-UI documentation clearly explains how this kind of problem can be avoided by adding the proper values to the Content-SecurityPolicy` header.
Steps To Reproduce
Open the following urls:
Screenshots
