jsxc: Update content security policy to prevent style errors

- Without the CSP, during loading there are no errors in the console. However, during chatting, some styling related error show up. Tests: - Ensure that there are no CSP related errors in the browser console. Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2026-01-21 07:55:00 +00:00 · 2025-11-15 20:22:40 -08:00 · 2025-11-15 20:22:40 -08:00 · ffecd1411b
commit ffecd1411b
parent a66c011f0b
1 changed files with 16 additions and 0 deletions
--- a/plinth/modules/jsxc/views.py
+++ b/plinth/modules/jsxc/views.py
@ -1,10 +1,13 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 """Views for the JSXC module."""

+import copy
+
 from django.http import Http404
 from django.views.generic import TemplateView

 import plinth.app as app_module
+from plinth.middleware import CONTENT_SECURITY_POLICY
 from plinth.modules.names.components import DomainName


@ -12,6 +15,14 @@ class JsxcView(TemplateView):
    """A simple page to embed Javascript XMPP Client library."""

    template_name = 'jsxc_launch.html'
+    headers: dict[str, str] = {}
+
+    def __init__(self, **kwargs):
+        """Initialize the view and set CSP."""
+        super().__init__(**kwargs)
+        csp = copy.copy(CONTENT_SECURITY_POLICY)
+        csp['style-src'] = "'self' 'unsafe-inline'"
+        self.headers['Content-Security-Policy'] = csp.get_header_value()

    def dispatch(self, request, *args, **kwargs):
        """Don't serve the view when app is disabled."""
@ -26,3 +37,8 @@ class JsxcView(TemplateView):
        context = super().get_context_data(*args, **kwargs)
        context['domain_name'] = DomainName.list_names()[0]
        return context
+
+    def get(self, request, *args, **kwargs):
+        """Handle GET request and return a response object."""
+        context = self.get_context_data(**kwargs)
+        return self.render_to_response(context, headers=self.headers)