From b2ef6ca25cc14d572021d9178880dab8b6f98aaa Mon Sep 17 00:00:00 2001
From: Jesse Vickery <jesse.vickery@tbs-sct.gc.ca>
Date: Wed, 13 Aug 2025 16:26:23 +0000
Subject: [PATCH 01/12] feat(dev): asset nonce;

- Add support for CSP Nonces for strict-dynamic directive.
---
 ckan/lib/webassets_tools.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/ckan/lib/webassets_tools.py b/ckan/lib/webassets_tools.py
index 3fe27218541..b841d5cbfbe 100644
--- a/ckan/lib/webassets_tools.py
+++ b/ckan/lib/webassets_tools.py
@@ -11,7 +11,8 @@
 from webassets import Environment
 from webassets.loaders import YAMLLoader
 
-from ckan.common import config, g
+# (canada fork only): use CSP nonce to support strict-dynamic
+from ckan.common import config, g, request
 
 
 logger = logging.getLogger(__name__)
@@ -128,9 +129,13 @@ def include_asset(name: str) -> None:
 
 def _to_tag(url: str, type_: str):
     if type_ == u'style':
-        return u'<link href="{}" rel="stylesheet"/>'.format(url)
+        # (canada fork only): use CSP nonce to support strict-dynamic
+        return u'<link href="{}" rel="stylesheet" nonce="{}"/>'.format(
+            url, str(request.environ.get('CSP_NONCE', '')))
     elif type_ == u'script':
-        return u'<script src="{}" type="text/javascript"></script>'.format(url)
+        # (canada fork only): use CSP nonce to support strict-dynamic
+        return u'<script src="{}" type="text/javascript" nonce="{}"></script>'.format(
+            url, str(request.environ.get('CSP_NONCE', '')))
     return u''
 
 

From 3b375eba86395b58f6aebb3846dad85c22a6b049 Mon Sep 17 00:00:00 2001
From: Jesse Vickery <jesse.vickery@tbs-sct.gc.ca>
Date: Wed, 13 Aug 2025 16:32:24 +0000
Subject: [PATCH 02/12] feat(misc): changelog;

- Added change log file.
---
 changes/204.canada.feature | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changes/204.canada.feature

diff --git a/changes/204.canada.feature b/changes/204.canada.feature
new file mode 100644
index 00000000000..fefffbacd51
--- /dev/null
+++ b/changes/204.canada.feature
@@ -0,0 +1 @@
+Adds script/style nonce capabilities to Jinja2 webassets.
\ No newline at end of file

From 3dcd22845f2bf03ea65b4d0c5f6b4a7e1031553a Mon Sep 17 00:00:00 2001
From: Jesse Vickery <jesse.vickery@tbs-sct.gc.ca>
Date: Tue, 19 Aug 2025 14:26:04 +0000
Subject: [PATCH 03/12] fix(templates): inline eval;

- Continued unsafe inline stuffs.
---
 ckanext/datatablesview/public/datatablesview.js       | 11 +++++++++++
 .../templates/datatables/datatables_form.html         |  3 ++-
 .../templates/datatables/datatables_view.html         |  9 ++++++---
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/ckanext/datatablesview/public/datatablesview.js b/ckanext/datatablesview/public/datatablesview.js
index 1daa4bf93d1..e7fe376e48c 100644
--- a/ckanext/datatablesview/public/datatablesview.js
+++ b/ckanext/datatablesview/public/datatablesview.js
@@ -421,6 +421,7 @@ this.ckan.module('datatables_view', function (jQuery) {
             display: $.fn.dataTable.Responsive.display.modal({
               header: function (row) {
                 // add clipboard and print buttons to modal record display
+                // TODO: move style attributes to classes...
                 var data = row.data();
                 return '<span style="font-size:150%;font-weight:bold;">Details:</span>&nbsp;&nbsp;<div class=" dt-buttons btn-group">' +
                   '<button id="modalcopy-button" class="btn btn-default" title="' + that._('Copy to clipboard') + '" onclick="copyModal(\'' +
@@ -595,6 +596,16 @@ this.ckan.module('datatables_view', function (jQuery) {
           }
         }, // end stateSaveParams
         initComplete: function (settings, json) {
+
+          // (canada forn only): no inline event handler for CSP support
+          let refitColButton = $('#refit-button');
+          if( refitColButton.length > 0 ){
+            $(refitColButton).off('click.dt_refit');
+            $(refitColButton).on('click.dt_refit', function(_event){
+              fitColText();
+            });
+          }
+
           // this callback is invoked by DataTables when table is fully rendered
           const api = this.api()
           // restore some data-dependent saved states now that data is loaded
diff --git a/ckanext/datatablesview/templates/datatables/datatables_form.html b/ckanext/datatablesview/templates/datatables/datatables_form.html
index 19aa42c58cf..82e75caf2cc 100644
--- a/ckanext/datatablesview/templates/datatables/datatables_form.html
+++ b/ckanext/datatablesview/templates/datatables/datatables_form.html
@@ -31,7 +31,8 @@
   <br/>
   <a class="dt-show-all" href="javascript:void(0);"><span class="mrgn-rght-md"><i class="fa fa-eye"></i>&nbsp;{{ _('Show All') }}</span></a>
   <a class="dt-hide-all" href="javascript:void(0);"><span><i class="fa fa-eye-slash"></i>&nbsp;{{ _('Hide All') }}</span></a>
-  <script>
+  {# (canada fork only): script nonce for CSP support #}
+  <script nonce="{{- h.get_inline_script_nonce() -}}">
     window.addEventListener('load', function(){
       $(document).ready(function(){
         let dtShowAll = $('a.dt-show-all');
diff --git a/ckanext/datatablesview/templates/datatables/datatables_view.html b/ckanext/datatablesview/templates/datatables/datatables_view.html
index caf1b797f95..f67a0686b7f 100644
--- a/ckanext/datatablesview/templates/datatables/datatables_view.html
+++ b/ckanext/datatablesview/templates/datatables/datatables_view.html
@@ -17,7 +17,8 @@
   {% endif -%}
 {% endfor -%}
 {%- set nbspval = "&nbsp;"|safe -%}
-<script type=text/javascript>
+{# (canada fork only): script nonce for CSP support #}
+<script type=text/javascript  nonce="{{- h.get_inline_script_nonce() -}}">
     const gdataDict = {{ columnDataDict|tojson }}
     const gresviewId = '{{ resource_view.id }}'
 </script>
@@ -71,7 +72,8 @@
         <th id="_colspacer">colspacer</th>
       </tr>
       <tr>
-        <th><button id="refit-button" class="btn btn-default" title="{{- _('Refit') -}}" onclick="fitColText()"><i class="fa fa-text-width"></i></button></th>
+        {# (canada forn only): no inline event handler for CSP support #}
+        <th><button id="refit-button" class="btn btn-default" title="{{- _('Refit') -}}"><i class="fa fa-text-width"></i></button></th>
         {% for field in datadictionary -%}
           {% if 'show_fields' not in resource_view or field.id in resource_view.show_fields -%}
             <th id="cdx{{ loop.index }}" class="fhead" data-type="{{ field.type }}">
@@ -103,7 +105,8 @@
 
 {#- we create tooltip here instead of javascript so we can leverage the automatic-local-datetime class date conversion CKAN does -#}
 {%- set res = resource %}
-<div id="dtv-resource-info" style="display: none;">
+{# (canada fork only): no inline style for CSP support #}
+<div id="dtv-resource-info" class="d-none">
   {{- _('Data last updated') }}: {{ local_friendly_datetime(res.last_modified) }}&#10;
   {{- _('Metadata last updated') }}: {{ local_friendly_datetime(res.metadata_modified) }}&#10;
   {{- _('Created') }}: {{ local_friendly_datetime(res.created) }}&#10;

From ce8915586b4792c23eb23a703f120d6ef051027c Mon Sep 17 00:00:00 2001
From: Jesse Vickery <jesse.vickery@tbs-sct.gc.ca>
Date: Tue, 19 Aug 2025 18:09:44 +0000
Subject: [PATCH 04/12] feat(templates): more csp;

- More inline things.
- More nonce usage.
---
 .../modules/resource-upload-field.js          | 47 ++++++++++++++++++-
 .../snippets/resource_upload_field.html       | 39 +++++----------
 ckanext/activity/templates/group/changes.html |  2 +-
 .../templates/organization/changes.html       |  2 +-
 .../activity/templates/package/changes.html   |  2 +-
 .../snippets/activity_type_selector.html      |  2 +-
 .../templates/snippets/pagination.html        |  2 +-
 .../user/snippets/followee_dropdown.html      |  2 +-
 .../datatablesview/public/datatablesview.js   |  7 +--
 .../templates/datatables/datatables_view.html |  2 +-
 .../imageview/theme/templates/image_view.html |  2 +-
 .../textview/theme/templates/text_view.html   |  3 +-
 12 files changed, 73 insertions(+), 39 deletions(-)

diff --git a/ckan/public/base/javascript/modules/resource-upload-field.js b/ckan/public/base/javascript/modules/resource-upload-field.js
index e389ad49d21..3439e5722be 100644
--- a/ckan/public/base/javascript/modules/resource-upload-field.js
+++ b/ckan/public/base/javascript/modules/resource-upload-field.js
@@ -15,7 +15,7 @@ this.ckan.module('resource-upload-field', function (jQuery) {
       // revert to URL for Link option
       $('#resource-link-button').on('click', function() {
         urlField.attr('type', 'url');
-      }) 
+      })
 
       $('#field-resource-upload').on('change', function() {
         if (_nameIsDirty) {
@@ -34,6 +34,51 @@ this.ckan.module('resource-upload-field', function (jQuery) {
 
         $('input[name="name"]').val(file_name);
       });
+
+      // (canada fork only): CSP support
+      let uploadButton = $('#resource-upload-button');
+      if( uploadButton.length > 0 ){
+        $(uploadButton).off('click.ResourceEdit');
+        $(uploadButton).on('click.ResourceEdit', function(_event){
+          let uploadField = document.getElementById('resource-url-upload');
+          if( typeof uploadField !== 'undefined' && uploadField != null ){
+            uploadField.checked = true;
+          }
+          document.getElementById('field-resource-upload').click();
+        });
+      }
+      let linkButton = $('#resource-link-button');
+      if( linkButton.length > 0 ){
+        $(linkButton).off('click.ResourceEdit');
+        $(linkButton).on('click.ResourceEdit', function(_event){
+          let urlField = document.getElementById('resource-url-link');
+          if( typeof urlField !== 'undefined' && urlField != null ){
+            urlField.checked = true;
+          }
+          document.getElementById('field-resource-url').focus();
+        });
+      }
+      let removeURIButtons = $('.btn-remove-url');
+      if( removeURIButtons.length > 0 ){
+        $(removeURIButtons).each(function(_index, _removeURIButton){
+          $(_removeURIButton).off('click.ResourceEdit');
+          $(_removeURIButton).on('click.ResourceEdit', function(_event){
+            let clearUploadField = document.getElementById('field-clear-upload');
+            if( typeof clearUploadField !== 'undefined' && clearUploadField != null ){
+              clearUploadField.checked = true;
+            }
+            document.getElementById('resource-url-none').checked = true;
+            document.getElementById($(_removeURIButton).attr('data-first-button')).focus();
+            console.log($(_removeURIButton).attr('data-is-upload'));
+            if( $(_removeURIButton).attr('data-is-upload') == 'true' || $(_removeURIButton).attr('data-is-upload') == true || $(_removeURIButton).attr('data-is-upload') == 'True' ){
+              $('#field-resource-upload').replaceWith($('#field-resource-upload').val('').clone(true));
+            }else{
+              $('#field-resource-url').val('');
+            }
+          });
+        });
+      }
+
     }
   }
 });
diff --git a/ckan/templates/package/snippets/resource_upload_field.html b/ckan/templates/package/snippets/resource_upload_field.html
index 121506e5fa6..1bf32ae09e4 100644
--- a/ckan/templates/package/snippets/resource_upload_field.html
+++ b/ckan/templates/package/snippets/resource_upload_field.html
@@ -22,13 +22,9 @@
 
 {% set first_button = 'resource-upload-button' if is_upload_enabled else 'resource-link-button' %}
 
-{% macro remove_button(js='') %}
-  <button type="button" class="btn btn-danger btn-remove-url"
-    onclick="
-      document.getElementById('resource-url-none').checked = true;
-      document.getElementById('{{ first_button }}').focus();
-      {{ js }}
-    ">{{ _('Remove') }}</button>
+{% macro remove_button(is_upload) %}
+  {# (canada fork only): CSP support #}
+  <button type="button" class="btn btn-danger btn-remove-url" data-is-upload="{{- is_upload -}}" data-first-button="{{- first_button -}}">{{ _('Remove') }}</button>
 {% endmacro %}
 
 <div data-module="resource-upload-field" class="resource-upload-field form-group">
@@ -40,19 +36,13 @@
     <div role="group" aria-labelledby="resource-menu-label">
       {% block url_type_select %}
         {% if is_upload_enabled %}
+          {# (canada fork only): CSP support #}
           <button type="button" class="btn btn-default" id="resource-upload-button"
-            title="{{ _('Upload a file on your computer') }}"
-            onclick="
-              document.getElementById('resource-url-upload').checked = true;
-              document.getElementById('field-resource-upload').click();
-            "><i class="fa fa-cloud-upload"></i>{{ _("Upload") }}</button>
+            title="{{ _('Upload a file on your computer') }}"><i class="fa fa-cloud-upload"></i>{{ _("Upload") }}</button>
         {% endif %}
+        {# (canada fork only): CSP support #}
         <button type="button" class="btn btn-default" id="resource-link-button"
-          title="{{ _('Link to a URL on the internet (you can also link to an API)') }}"
-            onclick="
-              document.getElementById('resource-url-link').checked = true;
-              document.getElementById('field-resource-url').focus();
-            "><i class="fa fa-globe"></i>{{ _('Link') }}</button>
+          title="{{ _('Link to a URL on the internet (you can also link to an API)') }}"><i class="fa fa-globe"></i>{{ _('Link') }}</button>
       {% endblock %}
     </div>
   </div>
@@ -67,11 +57,8 @@
             {# for existing uploads we show the file name in a readonly input box #}
             <input type="checkbox" id="field-clear-upload" value="true">
             <div class="upload-type">
-              <button type="button" class="btn btn-danger btn-remove-url"
-                onclick="
-                  document.getElementById('field-clear-upload').checked = true;
-                  document.getElementById('field-resource-upload').focus();
-                ">{{ _('Clear Upload') }}</button>
+              {# (canada fork only): CSP support #}
+              <button type="button" class="btn btn-danger btn-remove-url" data-is-upload="{{- is_upload -}}" data-first-button="{{- first_button -}}">{{ _('Clear Upload') }}</button>
               <label class="form-label">{{ upload_label or _('File') }}</label>
               <div class="controls">
                 {% set existing_name = data.get('url', '').split('/')[-1].split('?')[0].split('#')[0] %}
@@ -80,8 +67,8 @@
             </div>
           {% endif %}
           <div class="upload-type">
-            {{ remove_button(
-              js="$('#field-resource-upload').replaceWith($('#field-resource-upload').val('').clone(true))") }}
+            {# (canada fork only): CSP support #}
+            {{ remove_button(is_upload='true') }}
             {{ form.input(
               'upload',
               label=upload_label or _('File'),
@@ -97,8 +84,8 @@
       'checked' if is_url else '' }}>
     <div class="select-type">
       {% block link_controls %}
-        {{ remove_button(
-          js="$('#field-resource-url').val('')") }}
+      {# (canada fork only): CSP support #}
+        {{ remove_button(is_upload='false') }}
         {{ form.input(
           'url',
           label=url_label or _('URL'),
diff --git a/ckanext/activity/templates/group/changes.html b/ckanext/activity/templates/group/changes.html
index 00b73076212..c162e97a7f0 100644
--- a/ckanext/activity/templates/group/changes.html
+++ b/ckanext/activity/templates/group/changes.html
@@ -46,7 +46,7 @@ <h1 class="page-heading">{{ _('Changes') }}</h1>
         {% if i == 0 %}
           {# button to show JSON metadata diff for the most recent change - not shown by default #}
           <input type="button" data-module="metadata-button" data-module-target="" class="btn" value="Show metadata diff" id="metadata_button"></input>
-          <div id="metadata_diff" style="display:none;">
+          <div id="metadata_diff" class="d-none-soft">
           {% block group_changes_diff %}
             <pre>
               {{ activity_diffs[0]['diff']|safe }}
diff --git a/ckanext/activity/templates/organization/changes.html b/ckanext/activity/templates/organization/changes.html
index 7a85b191461..c23bae7fe7e 100644
--- a/ckanext/activity/templates/organization/changes.html
+++ b/ckanext/activity/templates/organization/changes.html
@@ -46,7 +46,7 @@ <h1 class="page-heading">{{ _('Changes') }}</h1>
         {% if i == 0 %}
           {# button to show JSON metadata diff for the most recent change - not shown by default #}
           <input type="button" data-module="metadata-button" data-module-target="" class="btn" value="Show metadata diff" id="metadata_button"></input>
-          <div id="metadata_diff" style="display:none;">
+          <div id="metadata_diff" class="d-none-soft">
           {% block organization_changes_diff %}
             <pre>
               {{ activity_diffs[0]['diff']|safe }}
diff --git a/ckanext/activity/templates/package/changes.html b/ckanext/activity/templates/package/changes.html
index 51052be0219..1b0c5a16f3b 100644
--- a/ckanext/activity/templates/package/changes.html
+++ b/ckanext/activity/templates/package/changes.html
@@ -46,7 +46,7 @@ <h1 class="page-heading">{{ _('Changes') }}</h1>
         {% if i == 0 %}
           {# button to show JSON metadata diff for the most recent change - not shown by default #}
           <input type="button" data-module="metadata-button" data-module-target="" class="btn" value="Show metadata diff" id="metadata_button"></input>
-          <div id="metadata_diff" style="display:none;">
+          <div id="metadata_diff" class="d-none-soft">
           {% block package_changes_diff %}
             <pre>
               {{ activity_diffs[0]['diff']|safe }}
diff --git a/ckanext/activity/templates/snippets/activity_type_selector.html b/ckanext/activity/templates/snippets/activity_type_selector.html
index ff75156801e..135c8d836ad 100644
--- a/ckanext/activity/templates/snippets/activity_type_selector.html
+++ b/ckanext/activity/templates/snippets/activity_type_selector.html
@@ -11,7 +11,7 @@
 
 {# (canada fork only): translations and blocks #}
 
-<div id="activity_types_filter" class="{%- block activity_form_classes -%}{%- endblock -%}" style="margin-bottom: 15px;" data-module="activity-stream">
+<div id="activity_types_filter" class="{%- block activity_form_classes -%}{%- endblock -%} mb-4" data-module="activity-stream">
   <label for="activity_types_filter_select" class="{%- block activity_label_classes -%}{%- endblock -%}">{{ _('Activity type') }}</label>
   <select id="activity_types_filter_select" class="{%- block activity_select_classes -%}{%- endblock -%}">
     <option {% if not activity_types %}selected{% endif %} data-url="{{ h.url_for(blueprint, id=id) }}">
diff --git a/ckanext/activity/templates/snippets/pagination.html b/ckanext/activity/templates/snippets/pagination.html
index 721daf15597..0ad2af88994 100644
--- a/ckanext/activity/templates/snippets/pagination.html
+++ b/ckanext/activity/templates/snippets/pagination.html
@@ -1,7 +1,7 @@
 {% set class_prev = "btn btn-default" if newer_activities_url else "btn disabled" %}
 {% set class_next = "btn btn-default" if older_activities_url else "btn disabled" %}
 
-<div id="activity_page_buttons" class="activity_buttons" style="margin-top: 25px;">
+<div id="activity_page_buttons" class="activity_buttons mt-5">
   <a href="{{ newer_activities_url }}" class="{{ class_prev }}">{{ _('Newer activities') }}</a>
   <a href="{{ older_activities_url }}" class="{{ class_next }}">{{ _('Older activities') }}</a>
 </div>
\ No newline at end of file
diff --git a/ckanext/activity/templates/user/snippets/followee_dropdown.html b/ckanext/activity/templates/user/snippets/followee_dropdown.html
index f3db3288354..bbe5e045f3a 100644
--- a/ckanext/activity/templates/user/snippets/followee_dropdown.html
+++ b/ckanext/activity/templates/user/snippets/followee_dropdown.html
@@ -18,7 +18,7 @@
     </a>
   </div>
 
-  <form id="followee-content" action="/dashboard" style=" display:none;">
+  <form id="followee-content" action="/dashboard" class="d-none-soft">
     <div class="popover-header">
       <div class="input-group">
         <span class="input-group-text"><i class="fa fa-search"></i></span>
diff --git a/ckanext/datatablesview/public/datatablesview.js b/ckanext/datatablesview/public/datatablesview.js
index e7fe376e48c..c7193e7338a 100644
--- a/ckanext/datatablesview/public/datatablesview.js
+++ b/ckanext/datatablesview/public/datatablesview.js
@@ -421,9 +421,9 @@ this.ckan.module('datatables_view', function (jQuery) {
             display: $.fn.dataTable.Responsive.display.modal({
               header: function (row) {
                 // add clipboard and print buttons to modal record display
-                // TODO: move style attributes to classes...
+                // (canada fork only): CSP support
                 var data = row.data();
-                return '<span style="font-size:150%;font-weight:bold;">Details:</span>&nbsp;&nbsp;<div class=" dt-buttons btn-group">' +
+                return '<span class="font-weight-bold fw-bold">Details:</span>&nbsp;&nbsp;<div class=" dt-buttons btn-group">' +
                   '<button id="modalcopy-button" class="btn btn-default" title="' + that._('Copy to clipboard') + '" onclick="copyModal(\'' +
                   packagename + '&mdash;' + resourcename + '\')"><i class="fa fa-copy"></i></button>' +
                   '<button id="modalprint-button" class="btn btn-default" title="' + that._('Print') + '" onclick="printModal(\'' +
@@ -463,9 +463,10 @@ this.ckan.module('datatables_view', function (jQuery) {
         const colid = 'dtcol-' + validateId(colname) + '-' + i
         const coltype = $(thecol).data('type')
         const placeholderText = formatdateflag && coltype.substr(0, 9) === 'timestamp' ? ' placeholder="yyyy-mm-dd"' : ''
+        // (canada fork only): CSP support
         $('<input id="' + colid + '" name="' + colid + '" autosave="' + colid + '"' +
                 placeholderText +
-                ' class="fhead form-control input-sm" type="search" results="10" autocomplete="on" style="width:100%"/>')
+                ' class="fhead form-control input-sm canada-width-full" type="search" results="10" autocomplete="on"/>')
           .appendTo($(thecol).empty())
           .on('keyup search', function (event) {
             const colSelector = colname + ':name'
diff --git a/ckanext/datatablesview/templates/datatables/datatables_view.html b/ckanext/datatablesview/templates/datatables/datatables_view.html
index f67a0686b7f..c6ab7d278ca 100644
--- a/ckanext/datatablesview/templates/datatables/datatables_view.html
+++ b/ckanext/datatablesview/templates/datatables/datatables_view.html
@@ -106,7 +106,7 @@
 {#- we create tooltip here instead of javascript so we can leverage the automatic-local-datetime class date conversion CKAN does -#}
 {%- set res = resource %}
 {# (canada fork only): no inline style for CSP support #}
-<div id="dtv-resource-info" class="d-none">
+<div id="dtv-resource-info" class="d-none-soft">
   {{- _('Data last updated') }}: {{ local_friendly_datetime(res.last_modified) }}&#10;
   {{- _('Metadata last updated') }}: {{ local_friendly_datetime(res.metadata_modified) }}&#10;
   {{- _('Created') }}: {{ local_friendly_datetime(res.created) }}&#10;
diff --git a/ckanext/imageview/theme/templates/image_view.html b/ckanext/imageview/theme/templates/image_view.html
index 5c0a981df1e..ef996edcc03 100644
--- a/ckanext/imageview/theme/templates/image_view.html
+++ b/ckanext/imageview/theme/templates/image_view.html
@@ -1,2 +1,2 @@
-<img style="margin:auto; max-height:100%; display:block" src="{{ resource_view.get('image_url') or resource.get('url') }}"
+<img class="d-block mx-auto my-auto mh-100" src="{{ resource_view.get('image_url') or resource.get('url') }}"
 alt="{%- if h.lang() == 'fr' -%}{{ resource_view.get('title_fr') }}{%- else -%}{{ resource_view.get('title') }}{%- endif -%}"/>
diff --git a/ckanext/textview/theme/templates/text_view.html b/ckanext/textview/theme/templates/text_view.html
index cad4131c096..87e104bc164 100644
--- a/ckanext/textview/theme/templates/text_view.html
+++ b/ckanext/textview/theme/templates/text_view.html
@@ -12,7 +12,8 @@
   </div>
 
   {% block scripts %}
-    <script>
+    {# (canada fork only): CSP support #}
+    <script nonce="{{- h.get_inline_script_nonce() -}}">
       var preload_resource = {{ h.literal(resource_json) }};
       var resource_url = {{ h.literal(resource_url) }};
       var preview_metadata = {{ h.literal(preview_metadata) }};

From 83596124f0710a13c8fdb4678546725aaa1f6254 Mon Sep 17 00:00:00 2001
From: Jesse Vickery <jesse.vickery@tbs-sct.gc.ca>
Date: Tue, 19 Aug 2025 18:52:41 +0000
Subject: [PATCH 05/12] feat(templates): more csp;

- More inline things.
- More nonce usage.
---
 ckan/public/base/css/main.css                 | 35 +++++++++++++++++++
 ckan/templates/base.html                      |  3 +-
 ckan/templates/dataviewer/base.html           |  3 +-
 ckan/templates/user/snippets/recaptcha.html   | 13 +++----
 .../templates/datatables/datatables_form.html |  2 +-
 .../templates/datatables/datatables_view.html |  2 +-
 .../textview/theme/templates/text_view.html   |  2 +-
 7 files changed, 49 insertions(+), 11 deletions(-)

diff --git a/ckan/public/base/css/main.css b/ckan/public/base/css/main.css
index 4c0ae550b8a..b2c82b834d4 100644
--- a/ckan/public/base/css/main.css
+++ b/ckan/public/base/css/main.css
@@ -14184,3 +14184,38 @@ div[data-module="progress-bar"] .progress-bar-label{
   text-align: right;
   margin-bottom: 23px;
 }
+
+/* (canada fork only): CSP support */
+.user-recaptcha-wrapper{
+  width: 304px;
+  height: 352px;
+  position: relative;
+}
+.user-recaptcha-frame-wrapper{
+  width: 304px;
+  height: 352px;
+  position: absolute;
+}
+.user-recaptcha-frame{
+  width: 304px;
+  height: 352px
+}
+.user-recaptcha-text-wrapper{
+  width: 250px;
+  height: 80px;
+  position: absolute;
+  bottom: 21px;
+  left: 25px;
+  margin: 0;
+  padding: 0;
+  right: 25px;
+}
+.user-recaptcha-text{
+  width: 250px;
+  height: 80px;
+  border: 1px solid #c1c1c1;
+  margin: 0;
+  padding: 0;
+  resize: none;
+}
+/* END (canada fork only): CSP support END */
\ No newline at end of file
diff --git a/ckan/templates/base.html b/ckan/templates/base.html
index b42fb8e7925..8e663fe4b2a 100644
--- a/ckan/templates/base.html
+++ b/ckan/templates/base.html
@@ -83,7 +83,8 @@
     {{ h.render_assets('style') }}
     {%- block custom_styles %}
       {%- if g.site_custom_css -%}
-      <style>
+      {# (canada fork only): CSP support #}
+      <style none="{{- h.get_inline_script_nonce() if 'get_inline_script_nonce' in h else '' -}}">
         {{ g.site_custom_css | safe }}
       </style>
       {%- endif %}
diff --git a/ckan/templates/dataviewer/base.html b/ckan/templates/dataviewer/base.html
index 9f3d7147776..cc0e7af4acf 100644
--- a/ckan/templates/dataviewer/base.html
+++ b/ckan/templates/dataviewer/base.html
@@ -4,7 +4,8 @@
 
 {# remove any scripts #}
 {% block scripts %}
-  <script>
+  {# (canada fork only): CSP support #}
+  <script none="{{- h.get_inline_script_nonce() if 'get_inline_script_nonce' in h else '' -}}">
     var preload_resource = {{ h.literal(h.dump_json(resource)) }};
   </script>
 {% endblock %}
diff --git a/ckan/templates/user/snippets/recaptcha.html b/ckan/templates/user/snippets/recaptcha.html
index 0f0f7e772f7..0863f771ce1 100644
--- a/ckan/templates/user/snippets/recaptcha.html
+++ b/ckan/templates/user/snippets/recaptcha.html
@@ -1,16 +1,17 @@
 <div class="form-group">
   <div class="controls">
-    <script src="https://www.google.com/recaptcha/api.js" async defer></script>
+    {# (canada fork only): CSP support #}
+    <script src="https://www.google.com/recaptcha/api.js" none="{{- h.get_inline_script_nonce() if 'get_inline_script_nonce' in h else '' -}}" async defer></script>
     <div class="g-recaptcha" data-sitekey="{{ public_key }}"></div>
 
     <noscript>
-      <div style="width: 304px; height: 352px; position: relative;">
-        <div style="width: 304px; height: 352px; position: absolute;">
-          <iframe title="Recaptcha" src="https://www.google.com/recaptcha/api/fallback?k={{ public_key }}" frameborder="0" scrolling="no" style="width: 304px; height:352px"></iframe>
+      <div class="user-recaptcha-wrapper">
+        <div class="user-recaptcha-frame">
+          <iframe class="user-recaptcha-frame" title="Recaptcha" src="https://www.google.com/recaptcha/api/fallback?k={{ public_key }}" frameborder="0" scrolling="no"></iframe>
         </div>
 
-        <div style="width: 250px; height: 80px; position: absolute; bottom: 21px; left: 25px; margin: 0; padding: 0; right: 25px;">
-          <textarea id="g-recaptcha-response" name="g-recaptcha-response" style="width: 250px; height: 80px; border: 1px solid #c1c1c1;	margin: 0; padding: 0; resize: none;" class="g-recaptcha-response"></textarea>
+        <div class="user-recaptcha-text-wrapper">
+          <textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response user-recaptcha-text"></textarea>
         </div>
       </div>
     </noscript>
diff --git a/ckanext/datatablesview/templates/datatables/datatables_form.html b/ckanext/datatablesview/templates/datatables/datatables_form.html
index b4f4a9556fe..bb43aeb8eec 100644
--- a/ckanext/datatablesview/templates/datatables/datatables_form.html
+++ b/ckanext/datatablesview/templates/datatables/datatables_form.html
@@ -33,7 +33,7 @@
   <a class="dt-show-all" href="javascript:void(0);"><span class="mrgn-rght-md"><i class="fa fa-eye"></i>&nbsp;{{ _('Show All') }}</span></a>
   <a class="dt-hide-all" href="javascript:void(0);"><span><i class="fa fa-eye-slash"></i>&nbsp;{{ _('Hide All') }}</span></a>
   {# (canada fork only): script nonce for CSP support #}
-  <script nonce="{{- h.get_inline_script_nonce() -}}">
+  <script nonce="{{- h.get_inline_script_nonce() if 'get_inline_script_nonce' in h else '' -}}">
     window.addEventListener('load', function(){
       $(document).ready(function(){
         let dtShowAll = $('a.dt-show-all');
diff --git a/ckanext/datatablesview/templates/datatables/datatables_view.html b/ckanext/datatablesview/templates/datatables/datatables_view.html
index c6ab7d278ca..78ce05ddf0e 100644
--- a/ckanext/datatablesview/templates/datatables/datatables_view.html
+++ b/ckanext/datatablesview/templates/datatables/datatables_view.html
@@ -18,7 +18,7 @@
 {% endfor -%}
 {%- set nbspval = "&nbsp;"|safe -%}
 {# (canada fork only): script nonce for CSP support #}
-<script type=text/javascript  nonce="{{- h.get_inline_script_nonce() -}}">
+<script type=text/javascript  nonce="{{- h.get_inline_script_nonce() if 'get_inline_script_nonce' in h else '' -}}">
     const gdataDict = {{ columnDataDict|tojson }}
     const gresviewId = '{{ resource_view.id }}'
 </script>
diff --git a/ckanext/textview/theme/templates/text_view.html b/ckanext/textview/theme/templates/text_view.html
index 87e104bc164..de5b43a4bb9 100644
--- a/ckanext/textview/theme/templates/text_view.html
+++ b/ckanext/textview/theme/templates/text_view.html
@@ -13,7 +13,7 @@
 
   {% block scripts %}
     {# (canada fork only): CSP support #}
-    <script nonce="{{- h.get_inline_script_nonce() -}}">
+    <script nonce="{{- h.get_inline_script_nonce() if 'get_inline_script_nonce' in h else '' -}}">
       var preload_resource = {{ h.literal(resource_json) }};
       var resource_url = {{ h.literal(resource_url) }};
       var preview_metadata = {{ h.literal(preview_metadata) }};

From 30367ad45ffa843d3df0b7c95e08112ed6ccfd7a Mon Sep 17 00:00:00 2001
From: Jesse Vickery <jesse.vickery@tbs-sct.gc.ca>
Date: Wed, 20 Aug 2025 13:23:36 +0000
Subject: [PATCH 06/12] feat(css): data to images;

- Move data images to actual images.
---
 ckan/public/base/css/main.css | 57 ++++++++++++++++++++++++-----------
 1 file changed, 39 insertions(+), 18 deletions(-)

diff --git a/ckan/public/base/css/main.css b/ckan/public/base/css/main.css
index b2c82b834d4..35979bb5bb6 100644
--- a/ckan/public/base/css/main.css
+++ b/ckan/public/base/css/main.css
@@ -2348,7 +2348,8 @@ textarea.form-control-lg {
   line-height: 1.5;
   color: #333333;
   background-color: #fff;
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16'%3e%3cpath fill='none' stroke='%23343a40' stroke-linecap='round' stroke-linejoin='round' stroke-width='2' d='M2 5l6 6 6-6'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/chevron-down.svg"), url("/static/img/data_img/chevron-down.svg");
   background-repeat: no-repeat;
   background-position: right 0.75rem center;
   background-size: 16px 12px;
@@ -2439,15 +2440,18 @@ textarea.form-control-lg {
   border-color: #206b82;
 }
 .form-check-input:checked[type=checkbox] {
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 20 20'%3e%3cpath fill='none' stroke='%23fff' stroke-linecap='round' stroke-linejoin='round' stroke-width='3' d='M6 10l3 3l6-6'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/check.svg"), url("/static/img/data_img/check.svg");
 }
 .form-check-input:checked[type=radio] {
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='-4 -4 8 8'%3e%3ccircle r='2' fill='%23fff'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/dot.svg"), url("/static/img/data_img/dot.svg");
 }
 .form-check-input[type=checkbox]:indeterminate {
   background-color: #206b82;
   border-color: #206b82;
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 20 20'%3e%3cpath fill='none' stroke='%23fff' stroke-linecap='round' stroke-linejoin='round' stroke-width='3' d='M6 10h8'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/dash.svg"), url("/static/img/data_img/dash.svg");
 }
 .form-check-input:disabled {
   pointer-events: none;
@@ -2464,7 +2468,8 @@ textarea.form-control-lg {
 .form-switch .form-check-input {
   width: 2em;
   margin-left: -2.5em;
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='-4 -4 8 8'%3e%3ccircle r='3' fill='rgba%280, 0, 0, 0.25%29'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/dot-grey.svg"), url("/static/img/data_img/dot-grey.svg");
   background-position: left center;
   border-radius: 2em;
   transition: background-position 0.15s ease-in-out;
@@ -2475,11 +2480,13 @@ textarea.form-control-lg {
   }
 }
 .form-switch .form-check-input:focus {
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='-4 -4 8 8'%3e%3ccircle r='3' fill='%2390b5c1'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/dot-blue.svg"), url("/static/img/data_img/dot-blue.svg");
 }
 .form-switch .form-check-input:checked {
   background-position: right center;
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='-4 -4 8 8'%3e%3ccircle r='3' fill='%23fff'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/dot-white.svg"), url("/static/img/data_img/dot-white.svg");
 }
 
 .form-check-inline {
@@ -2749,7 +2756,8 @@ textarea.form-control-lg {
 .was-validated .form-control:valid, .form-control.is-valid {
   border-color: #3A833A;
   padding-right: calc(1.5em + 0.75rem);
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 8 8'%3e%3cpath fill='%233A833A' d='M2.3 6.73L.6 4.53c-.4-1.04.46-1.4 1.1-.8l1.1 1.4 3.4-3.8c.6-.63 1.6-.27 1.2.7l-4 4.6c-.43.5-.8.4-1.1.1z'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/check-green.svg"), url("/static/img/data_img/check-green.svg");
   background-repeat: no-repeat;
   background-position: right calc(0.375em + 0.1875rem) center;
   background-size: calc(0.75em + 0.375rem) calc(0.75em + 0.375rem);
@@ -2769,7 +2777,8 @@ textarea.form-control-lg {
 }
 .was-validated .form-select:valid:not([multiple]):not([size]), .was-validated .form-select:valid:not([multiple])[size="1"], .form-select.is-valid:not([multiple]):not([size]), .form-select.is-valid:not([multiple])[size="1"] {
   padding-right: 4.125rem;
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16'%3e%3cpath fill='none' stroke='%23343a40' stroke-linecap='round' stroke-linejoin='round' stroke-width='2' d='M2 5l6 6 6-6'/%3e%3c/svg%3e"), url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 8 8'%3e%3cpath fill='%233A833A' d='M2.3 6.73L.6 4.53c-.4-1.04.46-1.4 1.1-.8l1.1 1.4 3.4-3.8c.6-.63 1.6-.27 1.2.7l-4 4.6c-.43.5-.8.4-1.1.1z'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/chevron-downg"), url("/data/static/img/data_img/check-green.svg"), url("/static/img/data_img/chevron-down.svg"), url("/static/img/data_img/check-green.svg");
   background-position: right 0.75rem center, center right 2.25rem;
   background-size: 16px 12px, calc(0.75em + 0.375rem) calc(0.75em + 0.375rem);
 }
@@ -2838,7 +2847,8 @@ textarea.form-control-lg {
 .was-validated .form-control:invalid, .form-control.is-invalid {
   border-color: #d43f3a;
   padding-right: calc(1.5em + 0.75rem);
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 12 12' width='12' height='12' fill='none' stroke='%23d43f3a'%3e%3ccircle cx='6' cy='6' r='4.5'/%3e%3cpath stroke-linejoin='round' d='M5.8 3.6h.4L6 6.5z'/%3e%3ccircle cx='6' cy='8.2' r='.6' fill='%23d43f3a' stroke='none'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/danger.svg"), url("/static/img/data_img/danger.svg");
   background-repeat: no-repeat;
   background-position: right calc(0.375em + 0.1875rem) center;
   background-size: calc(0.75em + 0.375rem) calc(0.75em + 0.375rem);
@@ -2858,7 +2868,8 @@ textarea.form-control-lg {
 }
 .was-validated .form-select:invalid:not([multiple]):not([size]), .was-validated .form-select:invalid:not([multiple])[size="1"], .form-select.is-invalid:not([multiple]):not([size]), .form-select.is-invalid:not([multiple])[size="1"] {
   padding-right: 4.125rem;
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16'%3e%3cpath fill='none' stroke='%23343a40' stroke-linecap='round' stroke-linejoin='round' stroke-width='2' d='M2 5l6 6 6-6'/%3e%3c/svg%3e"), url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 12 12' width='12' height='12' fill='none' stroke='%23d43f3a'%3e%3ccircle cx='6' cy='6' r='4.5'/%3e%3cpath stroke-linejoin='round' d='M5.8 3.6h.4L6 6.5z'/%3e%3ccircle cx='6' cy='8.2' r='.6' fill='%23d43f3a' stroke='none'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/chevron-down.svg"), url("/data/static/img/data_img/danger.svg"), url("/static/img/data_img/chevron-down.svg"), url("/static/img/data_img/danger.svg");
   background-position: right 0.75rem center, center right 2.25rem;
   background-size: 16px 12px, calc(0.75em + 0.375rem) calc(0.75em + 0.375rem);
 }
@@ -4400,7 +4411,8 @@ textarea.form-control-lg {
   border-color: rgba(0, 0, 0, 0.1);
 }
 .navbar-light .navbar-toggler-icon {
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 30 30'%3e%3cpath stroke='rgba%280, 0, 0, 0.55%29' stroke-linecap='round' stroke-miterlimit='10' stroke-width='2' d='M4 7h22M4 15h22M4 23h22'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/burger.svg"), url("/static/img/data_img/burger.svg");
 }
 .navbar-light .navbar-text {
   color: rgba(0, 0, 0, 0.55);
@@ -4437,7 +4449,8 @@ textarea.form-control-lg {
   border-color: rgba(255, 255, 255, 0.1);
 }
 .navbar-dark .navbar-toggler-icon {
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 30 30'%3e%3cpath stroke='rgba%28255, 255, 255, 0.55%29' stroke-linecap='round' stroke-miterlimit='10' stroke-width='2' d='M4 7h22M4 15h22M4 23h22'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/burger-lite.svg"), url("/static/img/data_img/burger-lite.svg");
 }
 .navbar-dark .navbar-text {
   color: rgba(255, 255, 255, 0.55);
@@ -4634,7 +4647,8 @@ textarea.form-control-lg {
   box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.125);
 }
 .accordion-button:not(.collapsed)::after {
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' fill='%231d6075'%3e%3cpath fill-rule='evenodd' d='M1.646 4.646a.5.5 0 0 1 .708 0L8 10.293l5.646-5.647a.5.5 0 0 1 .708.708l-6 6a.5.5 0 0 1-.708 0l-6-6a.5.5 0 0 1 0-.708z'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/chevron-down-blue.svg"), url("/static/img/data_img/chevron-down-blue.svg");
   transform: rotate(-180deg);
 }
 .accordion-button::after {
@@ -4643,7 +4657,8 @@ textarea.form-control-lg {
   height: 1.25rem;
   margin-left: auto;
   content: "";
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' fill='%23333333'%3e%3cpath fill-rule='evenodd' d='M1.646 4.646a.5.5 0 0 1 .708 0L8 10.293l5.646-5.647a.5.5 0 0 1 .708.708l-6 6a.5.5 0 0 1-.708 0l-6-6a.5.5 0 0 1 0-.708z'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/chevron-down-grey.svg"), url("/static/img/data_img/chevron-down-grey.svg");
   background-repeat: no-repeat;
   background-size: 1.25rem;
   transition: transform 0.2s ease-in-out;
@@ -5332,7 +5347,11 @@ textarea.form-control-lg {
   height: 1em;
   padding: 0.25em 0.25em;
   color: #000;
-  background: transparent url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' fill='%23000'%3e%3cpath d='M.293.293a1 1 0 011.414 0L8 6.586 14.293.293a1 1 0 111.414 1.414L9.414 8l6.293 6.293a1 1 0 01-1.414 1.414L8 9.414l-6.293 6.293a1 1 0 01-1.414-1.414L6.586 8 .293 1.707a1 1 0 010-1.414z'/%3e%3c/svg%3e") center/1em auto no-repeat;
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/close-black.svg"), url("/static/img/data_img/close-black.svg");
+  background-color: transparent;
+  background-repeat: no-repeat;
+  background-position: center;
   border: 0;
   border-radius: 0.25rem;
   opacity: 0.5;
@@ -6059,11 +6078,13 @@ textarea.form-control-lg {
   } ]
 } */
 .carousel-control-prev-icon {
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' fill='%23fff'%3e%3cpath d='M11.354 1.646a.5.5 0 0 1 0 .708L5.707 8l5.647 5.646a.5.5 0 0 1-.708.708l-6-6a.5.5 0 0 1 0-.708l6-6a.5.5 0 0 1 .708 0z'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/chevron-left.svg"), url("/static/img/data_img/chevron-left.svg");
 }
 
 .carousel-control-next-icon {
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' fill='%23fff'%3e%3cpath d='M4.646 1.646a.5.5 0 0 1 .708 0l6 6a.5.5 0 0 1 0 .708l-6 6a.5.5 0 0 1-.708-.708L10.293 8 4.646 2.354a.5.5 0 0 1 0-.708z'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/chevron-right.svg"), url("/static/img/data_img/chevron-right.svg");
 }
 
 .carousel-indicators {

From 119d9196bbc2b4cc0dd26fccb706ec682d8e4ed7 Mon Sep 17 00:00:00 2001
From: Jesse Vickery <jesse.vickery@tbs-sct.gc.ca>
Date: Wed, 20 Aug 2025 15:36:36 +0000
Subject: [PATCH 07/12] feat(dev): cache control;

- Set no-cache for logged in users.
- Updated change log files.
---
 changes/{204.canada.feature => 204.a.canada.feature} | 0
 changes/204.b.canada.changes                         | 1 +
 changes/204.c.canada.changes                         | 1 +
 changes/204.d.canada.changes                         | 1 +
 ckan/views/__init__.py                               | 2 ++
 5 files changed, 5 insertions(+)
 rename changes/{204.canada.feature => 204.a.canada.feature} (100%)
 create mode 100644 changes/204.b.canada.changes
 create mode 100644 changes/204.c.canada.changes
 create mode 100644 changes/204.d.canada.changes

diff --git a/changes/204.canada.feature b/changes/204.a.canada.feature
similarity index 100%
rename from changes/204.canada.feature
rename to changes/204.a.canada.feature
diff --git a/changes/204.b.canada.changes b/changes/204.b.canada.changes
new file mode 100644
index 00000000000..0bce65fa0b4
--- /dev/null
+++ b/changes/204.b.canada.changes
@@ -0,0 +1 @@
+Moved inline styles and JS attributes to classes and event listeners respectfully.
\ No newline at end of file
diff --git a/changes/204.c.canada.changes b/changes/204.c.canada.changes
new file mode 100644
index 00000000000..41f8216c883
--- /dev/null
+++ b/changes/204.c.canada.changes
@@ -0,0 +1 @@
+Now sets the Cache-Control header to `no-cache, private` for logged in users.
\ No newline at end of file
diff --git a/changes/204.d.canada.changes b/changes/204.d.canada.changes
new file mode 100644
index 00000000000..8161b281f2f
--- /dev/null
+++ b/changes/204.d.canada.changes
@@ -0,0 +1 @@
+Loads image assets instead of `data:image` URIs for stricter Content-Security-Policy support.
\ No newline at end of file
diff --git a/ckan/views/__init__.py b/ckan/views/__init__.py
index 514d7d683ca..9428403f175 100644
--- a/ckan/views/__init__.py
+++ b/ckan/views/__init__.py
@@ -63,6 +63,8 @@ def set_cache_control_headers_for_response(response: Response) -> Response:
         except ValueError:
             pass
     else:
+        # (canada fork only): set NOCACHE for logged in sessions
+        response.cache_control.no_cache = True
         response.cache_control.private = True
 
     # Invalidate cached pages upon login/logout

From 1ab202da9890f7bf8cc6935d9f092cc39a7f67cb Mon Sep 17 00:00:00 2001
From: Jesse Vickery <jesse.vickery@tbs-sct.gc.ca>
Date: Fri, 22 Aug 2025 16:51:55 +0000
Subject: [PATCH 08/12] fix(misc): typos and logs;

- Fixed nonce typos.
- Removed dev console log.
- Added TODO comments.
---
 ckan/public/base/javascript/modules/metadata-button.js       | 2 +-
 ckan/public/base/javascript/modules/resource-upload-field.js | 1 -
 ckan/templates/base.html                                     | 2 +-
 ckan/templates/dataviewer/base.html                          | 2 +-
 ckan/templates/user/snippets/recaptcha.html                  | 2 +-
 ckanext/datatablesview/public/datatablesview.js              | 1 +
 6 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/ckan/public/base/javascript/modules/metadata-button.js b/ckan/public/base/javascript/modules/metadata-button.js
index 609a8ec75e4..5a5a7300827 100644
--- a/ckan/public/base/javascript/modules/metadata-button.js
+++ b/ckan/public/base/javascript/modules/metadata-button.js
@@ -18,7 +18,7 @@ ckan.module('metadata-button', function(jQuery) {
     },
 
     _onClick: function(event) {
-      console.log("PRESSED THE BUTTON");
+      // FIXME: TODO: move style attributes to classes
       var div = document.getElementById("metadata_diff");
       if (div.style.display === "none") {
         div.style.display = "block";
diff --git a/ckan/public/base/javascript/modules/resource-upload-field.js b/ckan/public/base/javascript/modules/resource-upload-field.js
index 3439e5722be..e81a0cb5a00 100644
--- a/ckan/public/base/javascript/modules/resource-upload-field.js
+++ b/ckan/public/base/javascript/modules/resource-upload-field.js
@@ -69,7 +69,6 @@ this.ckan.module('resource-upload-field', function (jQuery) {
             }
             document.getElementById('resource-url-none').checked = true;
             document.getElementById($(_removeURIButton).attr('data-first-button')).focus();
-            console.log($(_removeURIButton).attr('data-is-upload'));
             if( $(_removeURIButton).attr('data-is-upload') == 'true' || $(_removeURIButton).attr('data-is-upload') == true || $(_removeURIButton).attr('data-is-upload') == 'True' ){
               $('#field-resource-upload').replaceWith($('#field-resource-upload').val('').clone(true));
             }else{
diff --git a/ckan/templates/base.html b/ckan/templates/base.html
index 8e663fe4b2a..d597c5d4b54 100644
--- a/ckan/templates/base.html
+++ b/ckan/templates/base.html
@@ -84,7 +84,7 @@
     {%- block custom_styles %}
       {%- if g.site_custom_css -%}
       {# (canada fork only): CSP support #}
-      <style none="{{- h.get_inline_script_nonce() if 'get_inline_script_nonce' in h else '' -}}">
+      <style nonce="{{- h.get_inline_script_nonce() if 'get_inline_script_nonce' in h else '' -}}">
         {{ g.site_custom_css | safe }}
       </style>
       {%- endif %}
diff --git a/ckan/templates/dataviewer/base.html b/ckan/templates/dataviewer/base.html
index cc0e7af4acf..27c7888238c 100644
--- a/ckan/templates/dataviewer/base.html
+++ b/ckan/templates/dataviewer/base.html
@@ -5,7 +5,7 @@
 {# remove any scripts #}
 {% block scripts %}
   {# (canada fork only): CSP support #}
-  <script none="{{- h.get_inline_script_nonce() if 'get_inline_script_nonce' in h else '' -}}">
+  <script nonce="{{- h.get_inline_script_nonce() if 'get_inline_script_nonce' in h else '' -}}">
     var preload_resource = {{ h.literal(h.dump_json(resource)) }};
   </script>
 {% endblock %}
diff --git a/ckan/templates/user/snippets/recaptcha.html b/ckan/templates/user/snippets/recaptcha.html
index 0863f771ce1..7e3309cbff4 100644
--- a/ckan/templates/user/snippets/recaptcha.html
+++ b/ckan/templates/user/snippets/recaptcha.html
@@ -1,7 +1,7 @@
 <div class="form-group">
   <div class="controls">
     {# (canada fork only): CSP support #}
-    <script src="https://www.google.com/recaptcha/api.js" none="{{- h.get_inline_script_nonce() if 'get_inline_script_nonce' in h else '' -}}" async defer></script>
+    <script src="https://www.google.com/recaptcha/api.js" nonce="{{- h.get_inline_script_nonce() if 'get_inline_script_nonce' in h else '' -}}" async defer></script>
     <div class="g-recaptcha" data-sitekey="{{ public_key }}"></div>
 
     <noscript>
diff --git a/ckanext/datatablesview/public/datatablesview.js b/ckanext/datatablesview/public/datatablesview.js
index c7193e7338a..4cd4202f02d 100644
--- a/ckanext/datatablesview/public/datatablesview.js
+++ b/ckanext/datatablesview/public/datatablesview.js
@@ -222,6 +222,7 @@ function initFilterObserver () {
   // (e.g. "4 of 1000 entries (filtered from...)")
   const filterObserver = new MutationObserver(function (e) {
     const infoText = document.getElementById('dtprv_info').innerText
+    // FIXME: TODO: move style attributes to classes
     if (!infoText.includes('(')) {
       document.getElementById('filterinfoicon').style.visibility = 'hidden'
     } else {

From dd56a4551b6546d4ab2430e8d5dc22202ea0db62 Mon Sep 17 00:00:00 2001
From: Jesse Vickery <jesse.vickery@tbs-sct.gc.ca>
Date: Mon, 25 Aug 2025 13:16:38 +0000
Subject: [PATCH 09/12] revert(css): data image;

- Revert any overrides, they ar ein canada plugin now.
---
 ckan/public/base/css/main.css | 92 +++++++----------------------------
 1 file changed, 18 insertions(+), 74 deletions(-)

diff --git a/ckan/public/base/css/main.css b/ckan/public/base/css/main.css
index 35979bb5bb6..98b0cdc8a62 100644
--- a/ckan/public/base/css/main.css
+++ b/ckan/public/base/css/main.css
@@ -2348,8 +2348,7 @@ textarea.form-control-lg {
   line-height: 1.5;
   color: #333333;
   background-color: #fff;
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/chevron-down.svg"), url("/static/img/data_img/chevron-down.svg");
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16'%3e%3cpath fill='none' stroke='%23343a40' stroke-linecap='round' stroke-linejoin='round' stroke-width='2' d='M2 5l6 6 6-6'/%3e%3c/svg%3e");
   background-repeat: no-repeat;
   background-position: right 0.75rem center;
   background-size: 16px 12px;
@@ -2440,18 +2439,15 @@ textarea.form-control-lg {
   border-color: #206b82;
 }
 .form-check-input:checked[type=checkbox] {
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/check.svg"), url("/static/img/data_img/check.svg");
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 20 20'%3e%3cpath fill='none' stroke='%23fff' stroke-linecap='round' stroke-linejoin='round' stroke-width='3' d='M6 10l3 3l6-6'/%3e%3c/svg%3e");
 }
 .form-check-input:checked[type=radio] {
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/dot.svg"), url("/static/img/data_img/dot.svg");
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='-4 -4 8 8'%3e%3ccircle r='2' fill='%23fff'/%3e%3c/svg%3e");
 }
 .form-check-input[type=checkbox]:indeterminate {
   background-color: #206b82;
   border-color: #206b82;
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/dash.svg"), url("/static/img/data_img/dash.svg");
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 20 20'%3e%3cpath fill='none' stroke='%23fff' stroke-linecap='round' stroke-linejoin='round' stroke-width='3' d='M6 10h8'/%3e%3c/svg%3e");
 }
 .form-check-input:disabled {
   pointer-events: none;
@@ -2468,8 +2464,7 @@ textarea.form-control-lg {
 .form-switch .form-check-input {
   width: 2em;
   margin-left: -2.5em;
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/dot-grey.svg"), url("/static/img/data_img/dot-grey.svg");
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='-4 -4 8 8'%3e%3ccircle r='3' fill='rgba%280, 0, 0, 0.25%29'/%3e%3c/svg%3e");
   background-position: left center;
   border-radius: 2em;
   transition: background-position 0.15s ease-in-out;
@@ -2480,13 +2475,11 @@ textarea.form-control-lg {
   }
 }
 .form-switch .form-check-input:focus {
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/dot-blue.svg"), url("/static/img/data_img/dot-blue.svg");
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='-4 -4 8 8'%3e%3ccircle r='3' fill='%2390b5c1'/%3e%3c/svg%3e");
 }
 .form-switch .form-check-input:checked {
   background-position: right center;
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/dot-white.svg"), url("/static/img/data_img/dot-white.svg");
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='-4 -4 8 8'%3e%3ccircle r='3' fill='%23fff'/%3e%3c/svg%3e");
 }
 
 .form-check-inline {
@@ -2756,8 +2749,7 @@ textarea.form-control-lg {
 .was-validated .form-control:valid, .form-control.is-valid {
   border-color: #3A833A;
   padding-right: calc(1.5em + 0.75rem);
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/check-green.svg"), url("/static/img/data_img/check-green.svg");
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 8 8'%3e%3cpath fill='%233A833A' d='M2.3 6.73L.6 4.53c-.4-1.04.46-1.4 1.1-.8l1.1 1.4 3.4-3.8c.6-.63 1.6-.27 1.2.7l-4 4.6c-.43.5-.8.4-1.1.1z'/%3e%3c/svg%3e");
   background-repeat: no-repeat;
   background-position: right calc(0.375em + 0.1875rem) center;
   background-size: calc(0.75em + 0.375rem) calc(0.75em + 0.375rem);
@@ -2777,8 +2769,7 @@ textarea.form-control-lg {
 }
 .was-validated .form-select:valid:not([multiple]):not([size]), .was-validated .form-select:valid:not([multiple])[size="1"], .form-select.is-valid:not([multiple]):not([size]), .form-select.is-valid:not([multiple])[size="1"] {
   padding-right: 4.125rem;
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/chevron-downg"), url("/data/static/img/data_img/check-green.svg"), url("/static/img/data_img/chevron-down.svg"), url("/static/img/data_img/check-green.svg");
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16'%3e%3cpath fill='none' stroke='%23343a40' stroke-linecap='round' stroke-linejoin='round' stroke-width='2' d='M2 5l6 6 6-6'/%3e%3c/svg%3e"), url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 8 8'%3e%3cpath fill='%233A833A' d='M2.3 6.73L.6 4.53c-.4-1.04.46-1.4 1.1-.8l1.1 1.4 3.4-3.8c.6-.63 1.6-.27 1.2.7l-4 4.6c-.43.5-.8.4-1.1.1z'/%3e%3c/svg%3e");
   background-position: right 0.75rem center, center right 2.25rem;
   background-size: 16px 12px, calc(0.75em + 0.375rem) calc(0.75em + 0.375rem);
 }
@@ -2847,8 +2838,7 @@ textarea.form-control-lg {
 .was-validated .form-control:invalid, .form-control.is-invalid {
   border-color: #d43f3a;
   padding-right: calc(1.5em + 0.75rem);
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/danger.svg"), url("/static/img/data_img/danger.svg");
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 12 12' width='12' height='12' fill='none' stroke='%23d43f3a'%3e%3ccircle cx='6' cy='6' r='4.5'/%3e%3cpath stroke-linejoin='round' d='M5.8 3.6h.4L6 6.5z'/%3e%3ccircle cx='6' cy='8.2' r='.6' fill='%23d43f3a' stroke='none'/%3e%3c/svg%3e");
   background-repeat: no-repeat;
   background-position: right calc(0.375em + 0.1875rem) center;
   background-size: calc(0.75em + 0.375rem) calc(0.75em + 0.375rem);
@@ -2868,9 +2858,7 @@ textarea.form-control-lg {
 }
 .was-validated .form-select:invalid:not([multiple]):not([size]), .was-validated .form-select:invalid:not([multiple])[size="1"], .form-select.is-invalid:not([multiple]):not([size]), .form-select.is-invalid:not([multiple])[size="1"] {
   padding-right: 4.125rem;
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/chevron-down.svg"), url("/data/static/img/data_img/danger.svg"), url("/static/img/data_img/chevron-down.svg"), url("/static/img/data_img/danger.svg");
-  background-position: right 0.75rem center, center right 2.25rem;
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16'%3e%3cpath fill='none' stroke='%23343a40' stroke-linecap='round' stroke-linejoin='round' stroke-width='2' d='M2 5l6 6 6-6'/%3e%3c/svg%3e"), url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 12 12' width='12' height='12' fill='none' stroke='%23d43f3a'%3e%3ccircle cx='6' cy='6' r='4.5'/%3e%3cpath stroke-linejoin='round' d='M5.8 3.6h.4L6 6.5z'/%3e%3ccircle cx='6' cy='8.2' r='.6' fill='%23d43f3a' stroke='none'/%3e%3c/svg%3e");  background-position: right 0.75rem center, center right 2.25rem;
   background-size: 16px 12px, calc(0.75em + 0.375rem) calc(0.75em + 0.375rem);
 }
 .was-validated .form-select:invalid:focus, .form-select.is-invalid:focus {
@@ -4411,8 +4399,7 @@ textarea.form-control-lg {
   border-color: rgba(0, 0, 0, 0.1);
 }
 .navbar-light .navbar-toggler-icon {
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/burger.svg"), url("/static/img/data_img/burger.svg");
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 30 30'%3e%3cpath stroke='rgba%280, 0, 0, 0.55%29' stroke-linecap='round' stroke-miterlimit='10' stroke-width='2' d='M4 7h22M4 15h22M4 23h22'/%3e%3c/svg%3e");
 }
 .navbar-light .navbar-text {
   color: rgba(0, 0, 0, 0.55);
@@ -4449,8 +4436,7 @@ textarea.form-control-lg {
   border-color: rgba(255, 255, 255, 0.1);
 }
 .navbar-dark .navbar-toggler-icon {
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/burger-lite.svg"), url("/static/img/data_img/burger-lite.svg");
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 30 30'%3e%3cpath stroke='rgba%28255, 255, 255, 0.55%29' stroke-linecap='round' stroke-miterlimit='10' stroke-width='2' d='M4 7h22M4 15h22M4 23h22'/%3e%3c/svg%3e");
 }
 .navbar-dark .navbar-text {
   color: rgba(255, 255, 255, 0.55);
@@ -4647,8 +4633,7 @@ textarea.form-control-lg {
   box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.125);
 }
 .accordion-button:not(.collapsed)::after {
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/chevron-down-blue.svg"), url("/static/img/data_img/chevron-down-blue.svg");
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' fill='%231d6075'%3e%3cpath fill-rule='evenodd' d='M1.646 4.646a.5.5 0 0 1 .708 0L8 10.293l5.646-5.647a.5.5 0 0 1 .708.708l-6 6a.5.5 0 0 1-.708 0l-6-6a.5.5 0 0 1 0-.708z'/%3e%3c/svg%3e");
   transform: rotate(-180deg);
 }
 .accordion-button::after {
@@ -4657,8 +4642,7 @@ textarea.form-control-lg {
   height: 1.25rem;
   margin-left: auto;
   content: "";
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/chevron-down-grey.svg"), url("/static/img/data_img/chevron-down-grey.svg");
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' fill='%23333333'%3e%3cpath fill-rule='evenodd' d='M1.646 4.646a.5.5 0 0 1 .708 0L8 10.293l5.646-5.647a.5.5 0 0 1 .708.708l-6 6a.5.5 0 0 1-.708 0l-6-6a.5.5 0 0 1 0-.708z'/%3e%3c/svg%3e");
   background-repeat: no-repeat;
   background-size: 1.25rem;
   transition: transform 0.2s ease-in-out;
@@ -5347,11 +5331,7 @@ textarea.form-control-lg {
   height: 1em;
   padding: 0.25em 0.25em;
   color: #000;
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/close-black.svg"), url("/static/img/data_img/close-black.svg");
-  background-color: transparent;
-  background-repeat: no-repeat;
-  background-position: center;
+  background: transparent url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' fill='%23000'%3e%3cpath d='M.293.293a1 1 0 011.414 0L8 6.586 14.293.293a1 1 0 111.414 1.414L9.414 8l6.293 6.293a1 1 0 01-1.414 1.414L8 9.414l-6.293 6.293a1 1 0 01-1.414-1.414L6.586 8 .293 1.707a1 1 0 010-1.414z'/%3e%3c/svg%3e") center/1em auto no-repeat;
   border: 0;
   border-radius: 0.25rem;
   opacity: 0.5;
@@ -6078,13 +6058,11 @@ textarea.form-control-lg {
   } ]
 } */
 .carousel-control-prev-icon {
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/chevron-left.svg"), url("/static/img/data_img/chevron-left.svg");
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' fill='%23fff'%3e%3cpath d='M11.354 1.646a.5.5 0 0 1 0 .708L5.707 8l5.647 5.646a.5.5 0 0 1-.708.708l-6-6a.5.5 0 0 1 0-.708l6-6a.5.5 0 0 1 .708 0z'/%3e%3c/svg%3e");
 }
 
 .carousel-control-next-icon {
-  /* (canada fork only): CSP support */
-  background-image: url("/data/static/img/data_img/chevron-right.svg"), url("/static/img/data_img/chevron-right.svg");
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' fill='%23fff'%3e%3cpath d='M4.646 1.646a.5.5 0 0 1 .708 0l6 6a.5.5 0 0 1 0 .708l-6 6a.5.5 0 0 1-.708-.708L10.293 8 4.646 2.354a.5.5 0 0 1 0-.708z'/%3e%3c/svg%3e");
 }
 
 .carousel-indicators {
@@ -14206,37 +14184,3 @@ div[data-module="progress-bar"] .progress-bar-label{
   margin-bottom: 23px;
 }
 
-/* (canada fork only): CSP support */
-.user-recaptcha-wrapper{
-  width: 304px;
-  height: 352px;
-  position: relative;
-}
-.user-recaptcha-frame-wrapper{
-  width: 304px;
-  height: 352px;
-  position: absolute;
-}
-.user-recaptcha-frame{
-  width: 304px;
-  height: 352px
-}
-.user-recaptcha-text-wrapper{
-  width: 250px;
-  height: 80px;
-  position: absolute;
-  bottom: 21px;
-  left: 25px;
-  margin: 0;
-  padding: 0;
-  right: 25px;
-}
-.user-recaptcha-text{
-  width: 250px;
-  height: 80px;
-  border: 1px solid #c1c1c1;
-  margin: 0;
-  padding: 0;
-  resize: none;
-}
-/* END (canada fork only): CSP support END */
\ No newline at end of file

From 18668ead4e4c531aec92f883a2ad01fe3450af39 Mon Sep 17 00:00:00 2001
From: Jesse Vickery <jesse.vickery@tbs-sct.gc.ca>
Date: Mon, 25 Aug 2025 13:42:24 +0000
Subject: [PATCH 10/12] revert(css): data image;

- Revert any overrides, they ar ein canada plugin now.
---
 ckan/public/base/css/main.css                                 | 4 ++--
 ckan/public/base/javascript/modules/metadata-button.js        | 1 +
 ckanext/datatablesview/public/datatablesview.js               | 2 +-
 .../datatablesview/templates/datatables/datatables_view.html  | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ckan/public/base/css/main.css b/ckan/public/base/css/main.css
index 98b0cdc8a62..4c0ae550b8a 100644
--- a/ckan/public/base/css/main.css
+++ b/ckan/public/base/css/main.css
@@ -2858,7 +2858,8 @@ textarea.form-control-lg {
 }
 .was-validated .form-select:invalid:not([multiple]):not([size]), .was-validated .form-select:invalid:not([multiple])[size="1"], .form-select.is-invalid:not([multiple]):not([size]), .form-select.is-invalid:not([multiple])[size="1"] {
   padding-right: 4.125rem;
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16'%3e%3cpath fill='none' stroke='%23343a40' stroke-linecap='round' stroke-linejoin='round' stroke-width='2' d='M2 5l6 6 6-6'/%3e%3c/svg%3e"), url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 12 12' width='12' height='12' fill='none' stroke='%23d43f3a'%3e%3ccircle cx='6' cy='6' r='4.5'/%3e%3cpath stroke-linejoin='round' d='M5.8 3.6h.4L6 6.5z'/%3e%3ccircle cx='6' cy='8.2' r='.6' fill='%23d43f3a' stroke='none'/%3e%3c/svg%3e");  background-position: right 0.75rem center, center right 2.25rem;
+  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16'%3e%3cpath fill='none' stroke='%23343a40' stroke-linecap='round' stroke-linejoin='round' stroke-width='2' d='M2 5l6 6 6-6'/%3e%3c/svg%3e"), url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 12 12' width='12' height='12' fill='none' stroke='%23d43f3a'%3e%3ccircle cx='6' cy='6' r='4.5'/%3e%3cpath stroke-linejoin='round' d='M5.8 3.6h.4L6 6.5z'/%3e%3ccircle cx='6' cy='8.2' r='.6' fill='%23d43f3a' stroke='none'/%3e%3c/svg%3e");
+  background-position: right 0.75rem center, center right 2.25rem;
   background-size: 16px 12px, calc(0.75em + 0.375rem) calc(0.75em + 0.375rem);
 }
 .was-validated .form-select:invalid:focus, .form-select.is-invalid:focus {
@@ -14183,4 +14184,3 @@ div[data-module="progress-bar"] .progress-bar-label{
   text-align: right;
   margin-bottom: 23px;
 }
-
diff --git a/ckan/public/base/javascript/modules/metadata-button.js b/ckan/public/base/javascript/modules/metadata-button.js
index 5a5a7300827..4d2728cb4c6 100644
--- a/ckan/public/base/javascript/modules/metadata-button.js
+++ b/ckan/public/base/javascript/modules/metadata-button.js
@@ -18,6 +18,7 @@ ckan.module('metadata-button', function(jQuery) {
     },
 
     _onClick: function(event) {
+      console.log("PRESSED THE BUTTON");
       // FIXME: TODO: move style attributes to classes
       var div = document.getElementById("metadata_diff");
       if (div.style.display === "none") {
diff --git a/ckanext/datatablesview/public/datatablesview.js b/ckanext/datatablesview/public/datatablesview.js
index 4cd4202f02d..63942de6e24 100644
--- a/ckanext/datatablesview/public/datatablesview.js
+++ b/ckanext/datatablesview/public/datatablesview.js
@@ -599,7 +599,7 @@ this.ckan.module('datatables_view', function (jQuery) {
         }, // end stateSaveParams
         initComplete: function (settings, json) {
 
-          // (canada forn only): no inline event handler for CSP support
+          // (canada fork only): no inline event handler for CSP support
           let refitColButton = $('#refit-button');
           if( refitColButton.length > 0 ){
             $(refitColButton).off('click.dt_refit');
diff --git a/ckanext/datatablesview/templates/datatables/datatables_view.html b/ckanext/datatablesview/templates/datatables/datatables_view.html
index 78ce05ddf0e..c7465d3b715 100644
--- a/ckanext/datatablesview/templates/datatables/datatables_view.html
+++ b/ckanext/datatablesview/templates/datatables/datatables_view.html
@@ -72,7 +72,7 @@
         <th id="_colspacer">colspacer</th>
       </tr>
       <tr>
-        {# (canada forn only): no inline event handler for CSP support #}
+        {# (canada fork only): no inline event handler for CSP support #}
         <th><button id="refit-button" class="btn btn-default" title="{{- _('Refit') -}}"><i class="fa fa-text-width"></i></button></th>
         {% for field in datadictionary -%}
           {% if 'show_fields' not in resource_view or field.id in resource_view.show_fields -%}

From f238097f1ff0f18e38423b73304162d8cdbb586b Mon Sep 17 00:00:00 2001
From: Jesse Vickery <jesse.vickery@tbs-sct.gc.ca>
Date: Mon, 25 Aug 2025 13:48:01 +0000
Subject: [PATCH 11/12] revert(css): data image;

- Revert any overrides, they ar ein canada plugin now.
---
 ckan/templates/user/snippets/recaptcha.html                 | 6 +++++-
 ckanext/activity/templates/group/changes.html               | 1 +
 ckanext/activity/templates/organization/changes.html        | 1 +
 ckanext/activity/templates/package/changes.html             | 1 +
 .../activity/templates/snippets/activity_type_selector.html | 1 +
 ckanext/activity/templates/snippets/pagination.html         | 1 +
 .../activity/templates/user/snippets/followee_dropdown.html | 1 +
 ckanext/imageview/theme/templates/image_view.html           | 1 +
 8 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/ckan/templates/user/snippets/recaptcha.html b/ckan/templates/user/snippets/recaptcha.html
index 7e3309cbff4..33d025bc9a5 100644
--- a/ckan/templates/user/snippets/recaptcha.html
+++ b/ckan/templates/user/snippets/recaptcha.html
@@ -5,12 +5,16 @@
     <div class="g-recaptcha" data-sitekey="{{ public_key }}"></div>
 
     <noscript>
+      {# (canada fork only): no inline style attr #}
       <div class="user-recaptcha-wrapper">
+        {# (canada fork only): no inline style attr #}
         <div class="user-recaptcha-frame">
+          {# (canada fork only): no inline style attr #}
           <iframe class="user-recaptcha-frame" title="Recaptcha" src="https://www.google.com/recaptcha/api/fallback?k={{ public_key }}" frameborder="0" scrolling="no"></iframe>
         </div>
-
+        {# (canada fork only): no inline style attr #}
         <div class="user-recaptcha-text-wrapper">
+          {# (canada fork only): no inline style attr #}
           <textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response user-recaptcha-text"></textarea>
         </div>
       </div>
diff --git a/ckanext/activity/templates/group/changes.html b/ckanext/activity/templates/group/changes.html
index c162e97a7f0..cc1f5fadf2a 100644
--- a/ckanext/activity/templates/group/changes.html
+++ b/ckanext/activity/templates/group/changes.html
@@ -46,6 +46,7 @@ <h1 class="page-heading">{{ _('Changes') }}</h1>
         {% if i == 0 %}
           {# button to show JSON metadata diff for the most recent change - not shown by default #}
           <input type="button" data-module="metadata-button" data-module-target="" class="btn" value="Show metadata diff" id="metadata_button"></input>
+          {# (canada fork only): no inline style attr #}
           <div id="metadata_diff" class="d-none-soft">
           {% block group_changes_diff %}
             <pre>
diff --git a/ckanext/activity/templates/organization/changes.html b/ckanext/activity/templates/organization/changes.html
index c23bae7fe7e..133f496e682 100644
--- a/ckanext/activity/templates/organization/changes.html
+++ b/ckanext/activity/templates/organization/changes.html
@@ -46,6 +46,7 @@ <h1 class="page-heading">{{ _('Changes') }}</h1>
         {% if i == 0 %}
           {# button to show JSON metadata diff for the most recent change - not shown by default #}
           <input type="button" data-module="metadata-button" data-module-target="" class="btn" value="Show metadata diff" id="metadata_button"></input>
+          {# (canada fork only): no inline style attr #}
           <div id="metadata_diff" class="d-none-soft">
           {% block organization_changes_diff %}
             <pre>
diff --git a/ckanext/activity/templates/package/changes.html b/ckanext/activity/templates/package/changes.html
index 1b0c5a16f3b..1dee573606b 100644
--- a/ckanext/activity/templates/package/changes.html
+++ b/ckanext/activity/templates/package/changes.html
@@ -46,6 +46,7 @@ <h1 class="page-heading">{{ _('Changes') }}</h1>
         {% if i == 0 %}
           {# button to show JSON metadata diff for the most recent change - not shown by default #}
           <input type="button" data-module="metadata-button" data-module-target="" class="btn" value="Show metadata diff" id="metadata_button"></input>
+          {# (canada fork only): no inline style attr #}
           <div id="metadata_diff" class="d-none-soft">
           {% block package_changes_diff %}
             <pre>
diff --git a/ckanext/activity/templates/snippets/activity_type_selector.html b/ckanext/activity/templates/snippets/activity_type_selector.html
index 135c8d836ad..d68451bf49e 100644
--- a/ckanext/activity/templates/snippets/activity_type_selector.html
+++ b/ckanext/activity/templates/snippets/activity_type_selector.html
@@ -10,6 +10,7 @@
 #}
 
 {# (canada fork only): translations and blocks #}
+{# (canada fork only): no inline style attr #}
 
 <div id="activity_types_filter" class="{%- block activity_form_classes -%}{%- endblock -%} mb-4" data-module="activity-stream">
   <label for="activity_types_filter_select" class="{%- block activity_label_classes -%}{%- endblock -%}">{{ _('Activity type') }}</label>
diff --git a/ckanext/activity/templates/snippets/pagination.html b/ckanext/activity/templates/snippets/pagination.html
index 0ad2af88994..1722bfe20cf 100644
--- a/ckanext/activity/templates/snippets/pagination.html
+++ b/ckanext/activity/templates/snippets/pagination.html
@@ -1,6 +1,7 @@
 {% set class_prev = "btn btn-default" if newer_activities_url else "btn disabled" %}
 {% set class_next = "btn btn-default" if older_activities_url else "btn disabled" %}
 
+{# (canada fork only): no inline style attr #}
 <div id="activity_page_buttons" class="activity_buttons mt-5">
   <a href="{{ newer_activities_url }}" class="{{ class_prev }}">{{ _('Newer activities') }}</a>
   <a href="{{ older_activities_url }}" class="{{ class_next }}">{{ _('Older activities') }}</a>
diff --git a/ckanext/activity/templates/user/snippets/followee_dropdown.html b/ckanext/activity/templates/user/snippets/followee_dropdown.html
index bbe5e045f3a..90f165db49c 100644
--- a/ckanext/activity/templates/user/snippets/followee_dropdown.html
+++ b/ckanext/activity/templates/user/snippets/followee_dropdown.html
@@ -18,6 +18,7 @@
     </a>
   </div>
 
+  {# (canada fork only): no inline style attr #}
   <form id="followee-content" action="/dashboard" class="d-none-soft">
     <div class="popover-header">
       <div class="input-group">
diff --git a/ckanext/imageview/theme/templates/image_view.html b/ckanext/imageview/theme/templates/image_view.html
index ef996edcc03..ed0596cad00 100644
--- a/ckanext/imageview/theme/templates/image_view.html
+++ b/ckanext/imageview/theme/templates/image_view.html
@@ -1,2 +1,3 @@
+{# (canada fork only): no inline style attr #}
 <img class="d-block mx-auto my-auto mh-100" src="{{ resource_view.get('image_url') or resource.get('url') }}"
 alt="{%- if h.lang() == 'fr' -%}{{ resource_view.get('title_fr') }}{%- else -%}{{ resource_view.get('title') }}{%- endif -%}"/>

From 980864fbbc179bde5db462ddcf92f16a78c62888 Mon Sep 17 00:00:00 2001
From: Jesse Vickery <jesse.vickery@tbs-sct.gc.ca>
Date: Mon, 25 Aug 2025 18:07:39 +0000
Subject: [PATCH 12/12] feat(dev): validator;

- New validator for http header values.
---
 ckan/logic/validators.py | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/ckan/logic/validators.py b/ckan/logic/validators.py
index 1092347ff72..f7b76e47709 100644
--- a/ckan/logic/validators.py
+++ b/ckan/logic/validators.py
@@ -41,6 +41,11 @@
 Missing = df.Missing
 missing = df.missing
 
+# (canada fork only): http header value validator
+# TODO: upstream contrib??
+header_bad_value_match = re.compile(r'[^\x20-\x7E\t]')
+new_line_match = re.compile(r'[\r\n]')
+
 
 def owner_org_validator(key: FlattenKey, data: FlattenDataDict,
                         errors: FlattenErrorDict, context: Context) -> Any:
@@ -1171,3 +1176,18 @@ def license_choices(value, context):
     if value in licenses:
         return value
     raise Invalid(_('Invalid license'))
+
+
+# (canada fork only): http header value validator
+# TODO: upstream contrib??
+def http_header_value_validator(value: Any):
+    """
+    Sanitizes safe values for HTTP headers.
+
+    Removes newline characters
+    """
+    value = re.sub(new_line_match, ' ', value)
+    bad_values = re.search(header_bad_value_match, value)
+    if bad_values:
+        raise Invalid(f'Invalid characters for HTTP Header value: {bad_values}')
+    return value
\ No newline at end of file