v1.18.1 CSP Error when plugins load remote JS scripts

[PraveenAlexis]

Prerequisites

• [ Yes] Can you reproduce the problem in a fresh installation of the "develop" branch?
• [ Yes] Do you have any errors in the PHP error log, or javascript console?
• [ Yes] Did you check the osTicket forums?
• [ Yes] Did you perform a cursory search to see if your bug or enhancement is already reported?

For more information on how to write a good bug report

Description

[Description of the bug or feature]

Steps to Reproduce

1. [First Step]
   Install this plugin https://github.com/DavidMarquezF/osTicket-google-recaptcha
2. [Second Step]
   Create a form with the captcha field added

Expected behavior: [What you expected to happen]
This will show a google captcha field in the ticket open page.

Actual behavior: [What actually happened]
Captcha field is blank with a JS console error

Refused to load the script 'https://www.google.com/recaptcha/api.js?hl=en_US' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Versions

Admin panel -> Dashboard -> Information which also additionally gives you information about your server.

Also, please include the OS and what version of the OS you're running. As well as your browser and browser version.

v1.18.1
Ubuntu 20
php 8.1

[JediKev]

@PraveenAlexis

That is not a core plugin. If you need to load external JS you need to modify the CSP headers; below is where they are set:

• https://github.com/osTicket/osTicket/pull/6624/files

You can also reach out to the modder directly in their repo and see if they can add code to override the default CSP headers we set.

However doing so should be at your own risk as you could open yourself up to potential security vulnerabilities/attacks. I would only allow the needed sources to be as safe as possible.

Cheers.