Skip to content

Problem: Refresh page links violate CSP

Current Behavior

Steps to reproduce the behavior

  1. As a non-authenticated user, attach records to your clipboard.
  2. Export them as a CSV.
  3. In the notification that appears when you click Export, click the link that says "Refresh the page"
  4. Notice that nothing happens.
  5. Open the developer console in your browser and notice the error message.
Image

Expected Behavior

Clicking the link should refresh the page.

Possible Solution

Like in #2233, the inline JS should be removed, a data-action="refresh" attribute should be added on these links, and non-inline Javascript should be used to query for elements with that attribute. When elements matching that query are clicked, then reload the window.

There is a file that can do this with non-inline Javascript, see /js/refreshJobs.js. I think this file could be made more generic to provide window refreshing on any element that has data-action="refresh".

document.querySelectorAll('[data-action="refresh"]').forEach(function (el) {
  el.addEventListener("click", function (e) {
    e.preventDefault();
    window.location.reload();
  }
});

It would make sense to rename this file from refreshJobs.js to windowReload.js.

Context and Notes

This issue is similar to #2232 (closed).

Version used

AtoM 2.10 (latest qa/2.x)

Operating System and version

Docker (php:8.3-fpm-alpine)

Default installation culture

en

PHP version

PHP 8.3

Contact details

No response