Overview
To improve security, the v3.6.3 pre-release strengthened the desktop app's Content-Security-Policy. As a result, inline event handlers and script blocks are now blocked in most plugin WebViews.
Plugins that rely on inline event handlers or script blocks may be broken by this change.
Why
A stronger Content-Security-Policy:
- Makes issues in the main Joplin app less likely to become security vulnerabilities.
- Makes issues related to how plugins render/display untrusted content less likely to become security vulnerabilities (e.g. joplin-outline#100).
How to migrate
Replace inline event handlers (e.g. onclick="alert()") with event handlers added by content scripts.
For example, a plugin might have previously created a panel with the following HTML:
<div>
<h1>Test!</h1>
<button id="button" onclick="print()">Print the panel</button>
</div>
With this change, the onclick handler will be blocked, since the print() JavaScript is included directly in the HTML.
The plugin should instead add the onclick handler from the panel's content script:
// In a script added by "joplin.views.panels.addScript":
document.querySelector('#button').onclick = () => print();
For plugins that can't migrate
Joplin maintains a list of known legacy plugins that this change won't apply to. These plugins' panels/dialogs will be isolated from the main application, so the change to the Content-Security-Policy doesn't apply to them. Please let us know if a plugin needs to be added to this list!