Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server adds CSP header when serving custom 404 page #55

Closed
rothsandro opened this issue Feb 20, 2023 · 17 comments
Closed

Server adds CSP header when serving custom 404 page #55

rothsandro opened this issue Feb 20, 2023 · 17 comments
Assignees
Labels
bug Something isn't working

Comments

@rothsandro
Copy link

When serving the custom 404 page by calling a non-existing url, the Dev Server responds with a Content Security Policy header. This blocks some content like JS files.

csp

This only happens on the 404 page. On all other pages there are no CSP headers.

Repro: https://github.com/rothsandro/repro.eleventy-404-csp

@murtuzaalisurti
Copy link

murtuzaalisurti commented Feb 24, 2023

@rothsandro I am also facing this issue

Screenshot 2023-02-24 120754

in 11ty v2.0

@bobmonsour
Copy link

There's a Discord thread on this too. Seems that it only happens when developing locally. Deployed sites run js on 404 pages. Here's a link to the thread:

https://discord.com/channels/741017160297611315/1068561825391714344

@xplosionmind
Copy link

I am having this problem too!

in my 404 page:

13:03:16.304 Loading failed for the <script> with source “https://visits.tommi.space/umami.js”. asfiqourfqo:313:1
13:03:16.315 Content Security Policy: The page’s settings blocked the loading of a resource at https://visits.tommi.space/umami.js (“script-src”). asfiqourfqo
13:03:16.315 Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). asfiqourfqo:366:1
13:03:16.317 Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
Source: javascript:history.go(-1) asfiqourfqo
13:03:16.371 [11ty][12:03:16.371 UTC] Connected asfiqourfqo:392:18
13:03:20.206 Source map error: Error: NetworkError when attempting to fetch resource.
Resource URL: moz-extension://99f4b94e-d4e8-4d51-8427-73faa1221a25/model/static/DOMPurify/purify.min.js
Source Map URL: purify.min.js.map

@zachleat zachleat added the bug Something isn't working label Mar 13, 2023
@zachleat zachleat added this to the Eleventy Dev Server v1.0.4 milestone Mar 13, 2023
@zachleat zachleat self-assigned this Mar 13, 2023
@zachleat
Copy link
Member

Looking at this one today 🙌🏻

@zachleat
Copy link
Member

This will roll up with dev server v1.0.4!

@xplosionmind
Copy link

Hi @zachleat, even after manually installing version 1.0.4 (since the one bundled into eleventy is not up to date), I still get these errors… do you have any idea why?

16:14:18.341 Loading failed for the <script> with source “http://localhost:8080/index.js”. whole-jam:10282:1
16:14:18.592 [11ty][15:14:18.592 UTC] Connected reload-client.js:21:18
16:14:25.469 Navigated to http://localhost:8080/whole-jam/
16:14:25.575 [11ty][15:14:25.575 UTC] Reconnecting… reload-client.js:21:18
16:14:25.674 GEThttp://localhost:8080/index.js
[HTTP/1.1 404 Not Found 2ms]

16:14:25.779 Loading failed for the <script> with source “http://localhost:8080/index.js”. whole-jam:10282:1
16:14:25.984 [11ty][15:14:25.985 UTC] Connected reload-client.js:21:18

@murtuzaalisurti
Copy link

Hi @zachleat, even after manually installing version 1.0.4 (since the one bundled into eleventy is not up to date), I still get these errors… do you have any idea why?

16:14:18.341 Loading failed for the <script> with source “http://localhost:8080/index.js”. whole-jam:10282:1
16:14:18.592 [11ty][15:14:18.592 UTC] Connected reload-client.js:21:18
16:14:25.469 Navigated to http://localhost:8080/whole-jam/
16:14:25.575 [11ty][15:14:25.575 UTC] Reconnecting… reload-client.js:21:18
16:14:25.674 GEThttp://localhost:8080/index.js
[HTTP/1.1 404 Not Found 2ms]

16:14:25.779 Loading failed for the <script> with source “http://localhost:8080/index.js”. whole-jam:10282:1
16:14:25.984 [11ty][15:14:25.985 UTC] Connected reload-client.js:21:18

it should work now, the v1.0.4 is bundled with 11ty v2.0.1

@zachleat
Copy link
Member

@murtuzaalisurti Can you use the showVersion dev server option to verify what dev server version is being used at run time? https://www.11ty.dev/docs/dev-server/#options

@murtuzaalisurti
Copy link

@zachleat yep, it's running v1.0.4

Code_oQVesTe4hD

@zachleat
Copy link
Member

@murtuzaalisurti can you test the repo above? it’s what I worked from to fix iirc https://github.com/rothsandro/repro.eleventy-404-csp Maybe I missed something!

@murtuzaalisurti
Copy link

murtuzaalisurti commented Mar 30, 2023

@murtuzaalisurti can you test the repo above? it’s what I worked from to fix iirc https://github.com/rothsandro/repro.eleventy-404-csp Maybe I missed something!

@zachleat yeah, I was able to reproduce the error. It is evident in 11ty v2.0.0 which bundles 11ty dev server v1.0.3. No issues in v1.0.4 of 11ty dev server.

Code_e5Pi0R5LPY

chrome_D9bk2gPTcM

@zachleat
Copy link
Member

great! can you upgrade to 2.0.1 and help report if the issue persists locally?

@murtuzaalisurti
Copy link

great! can you upgrade to 2.0.1 and help report if the issue persists locally?

no issues! works perfect.

@zachleat
Copy link
Member

ah, hmm—I think we may need a new issue for yours then @murtuzaalisurti (sorry!)

@murtuzaalisurti
Copy link

@zachleat so, the expected behavior should be that 11ty v2.0.0 or any 11ty version prior to 2.0.1 should bundle 11ty dev server version 1.0.4 or the latest, right?

@zachleat
Copy link
Member

For 2.0.0 from a fresh install, yes. There are additional complexities around pre-installed dependencies or npm cache using an already available version that meets the package.json requirements for 2.0.0. But installing 2.0.1 should guarantee @11ty/eleventy-dev-server 1.0.4+

https://github.com/11ty/eleventy/blob/v2.0.1/package.json#L99
https://github.com/11ty/eleventy/blob/v2.0.0/package.json#L99

@murtuzaalisurti
Copy link

@zachleat yep, you are right, I tried running 11ty on stackblitz with v2.0.0 and it bundles v1.0.4 of dev server! I might need to clear npm cache I guess.

chrome_EIv6Vx7Muh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

5 participants