remove inline on** (onclick etc) handlers because of CSP violaions in addons

[opto]

Short description
tried to use w2ui inside Mozilla addons (e.g. Thunderbird)

What is current behavior
blocked due to CSP violations. Problem are the implicit onclick handlers etc.

Tried in an example position to replace

            var html =
                '<div class="w2ui-scroll-wrapper" onmousedown="var el=w2ui[\''+ this.name +'\']; if (el) el.resize();">'+
                '    <div class="w2ui-tabs-line"></div>'+

by

           var html =
            '<div id = "render"'+this.renderInd   + 'class="w2ui-scroll-wrapper" >'+
            '    <div class="w2ui-tabs-line"></div>'+

//!!!!!
                $("#render"+this.renderInd).on("mousedown", () => { var el=w2ui["'"+ this.name +"'"]; if (el) el.resize(); });

What is desired behavior

The above removes the CSP violations, but it is too many for me to replace (search for onclick, onmouse etc. in w2ui-1.5.js

any help/considerationof this is appreciated.

The current code works in FF, but not in addons, they seem to have different CSP requirements.

[vitmalina]

In version 2.0 there are plans to support strictest CSP. 1.5 will never be. However, you can set custom CSP settings for a addon, which works just fine.

[opto]

good to hear, many thanks.
Do you have an idea how to formulat the CSP manifest entry to allow v 1.5? I tried several versions from MDN and stackoverflow and was not yet successful.

[vitmalina]

Add this to manifest.json

{
...
"content_security_policy": "default-src 'self' 'unsafe-eval' ; style-src 'unsafe-inline'; script-src-attr 'unsafe-inline'; img-src 'self' data:; font-src 'self' data: 'unsafe-inline';"
}

[opto]

many thanks, but:
unfortunately, Mozilla does not allow unsafe-inline for addons (FF itself is fine):
see https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy

[vitmalina]

I see that Chrome ext. v3 also has same problems. It works for manifest v2, but not v3. unsafe-inline is ignored for script-src

[opto]

yes, and it is not only in your code. In your code, I successfully updated some parts, but then I came to a point where code inside jquery caused csp errors.
that is something where I do not have enough knowledge to change.

[vitmalina]

See https://github.com/vitmalina/bela - it is a chrome extension that uses w2ui. Works there.

[vitmalina]

With latest push all bug grid support following CSP:

 <meta http-equiv="Content-Security-Policy" 
          content="default-src 'self' data:; style-src 'self' 'unsafe-inline';">

[opto]

I tried to load that into firefox, but it does not work, throwing CSP errors (which probably was to be expected)

[opto]

and concerning the other post: unsafe-inline is not allowed (Thunderbird team arguing that is because TB addons have access to emails - very private information, so more security is needed)

[vitmalina]

Styles unsafe-inline will need to stay.