🐞 Bug Summary
The admin UI contains 165 inline event handler attributes (onclick, oninput, onsubmit, etc.) in admin.html and form-handling templates. Browsers treat these as inline scripts, requiring script-src 'unsafe-inline' or 'unsafe-hashes' with per-handler hashes. Any CSP policy that omits both will silently block these handlers, breaking search, form submission, and other interactive UI elements.
🧩 Affected Component
- mcpgateway - UI (admin panel)
🔁 Steps to Reproduce
- Deploy the admin UI with a CSP that omits
'unsafe-inline' from script-src
- Open the admin panel in a browser
- Attempt to use the global search (line 807), an input field (line 888), or submit a form
- Open the browser console
🤔 Expected Behavior
All interactive UI elements function normally under a strict CSP.
📓 Logs / Error Output
Refused to execute inline event handler because it violates the following
Content Security Policy directive: "script-src ...".
Affected handlers include:
onclick="Admin.openGlobalSearchModal()" — line 807oninput=... — line 888onsubmit=... — form-handling templates
Note: the 8 hx-on:* attributes are not affected — HTMX evaluates these via the trusted HTMX script and honours inlineScriptNonce.
🧩 Additional Context
Current count: 165 inline handlers in the admin UI (reduced from 189 on main).
Fix: Migrate inline handlers to delegated addEventListener calls in the bundled JS. A data-action="..." pattern works well here — HTML elements declare their intent via a data attribute, and a single top-level listener in the bundle dispatches to the relevant Admin.* method. No new logic is needed; only the wiring location changes.
The 'unsafe-eval' requirement from Alpine.js standard build is tracked separately in #4653.
Related: PR #4424 (CSP hardening) identified this gap — the policy introduced there cannot be fully enforced until these handlers are migrated.
🐞 Bug Summary
The admin UI contains 165 inline event handler attributes (
onclick, oninput, onsubmit, etc.) inadmin.htmland form-handling templates. Browsers treat these as inline scripts, requiringscript-src 'unsafe-inline' or 'unsafe-hashes'with per-handler hashes. Any CSP policy that omits both will silently block these handlers, breaking search, form submission, and other interactive UI elements.🧩 Affected Component
🔁 Steps to Reproduce
'unsafe-inline'fromscript-src🤔 Expected Behavior
All interactive UI elements function normally under a strict CSP.
📓 Logs / Error Output
Refused to execute inline event handler because it violates the following
Content Security Policy directive: "script-src ...".
Affected handlers include:
onclick="Admin.openGlobalSearchModal()"— line 807oninput=...— line 888onsubmit=...— form-handling templatesNote: the 8
hx-on:*attributes are not affected — HTMX evaluates these via the trusted HTMX script and honours inlineScriptNonce.🧩 Additional Context
Current count: 165 inline handlers in the admin UI (reduced from 189 on
main).Fix: Migrate inline handlers to delegated
addEventListenercalls in the bundled JS. Adata-action="..."pattern works well here — HTML elements declare their intent via a data attribute, and a single top-level listener in the bundle dispatches to the relevantAdmin.*method. No new logic is needed; only the wiring location changes.The
'unsafe-eval'requirement from Alpine.js standard build is tracked separately in #4653.Related: PR #4424 (CSP hardening) identified this gap — the policy introduced there cannot be fully enforced until these handlers are migrated.