Server adds CSP header when serving custom 404 page

[rothsandro]

When serving the custom 404 page by calling a non-existing url, the Dev Server responds with a Content Security Policy header. This blocks some content like JS files.

This only happens on the 404 page. On all other pages there are no CSP headers.

Repro: https://github.com/rothsandro/repro.eleventy-404-csp

[murtuzaalisurti]

@rothsandro I am also facing this issue

in 11ty v2.0

[bobmonsour]

There's a Discord thread on this too. Seems that it only happens when developing locally. Deployed sites run js on 404 pages. Here's a link to the thread:

https://discord.com/channels/741017160297611315/1068561825391714344

[xplosionmind]

I am having this problem too!

in my 404 page:

13:03:16.304 Loading failed for the <script> with source “https://visits.tommi.space/umami.js”. asfiqourfqo:313:1
13:03:16.315 Content Security Policy: The page’s settings blocked the loading of a resource at https://visits.tommi.space/umami.js (“script-src”). asfiqourfqo
13:03:16.315 Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). asfiqourfqo:366:1
13:03:16.317 Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
Source: javascript:history.go(-1) asfiqourfqo
13:03:16.371 [11ty][12:03:16.371 UTC] Connected asfiqourfqo:392:18
13:03:20.206 Source map error: Error: NetworkError when attempting to fetch resource.
Resource URL: moz-extension://99f4b94e-d4e8-4d51-8427-73faa1221a25/model/static/DOMPurify/purify.min.js
Source Map URL: purify.min.js.map

[zachleat]

Looking at this one today 🙌🏻

[zachleat]

This will roll up with dev server v1.0.4!

[xplosionmind]

Hi @zachleat, even after manually installing version 1.0.4 (since the one bundled into eleventy is not up to date), I still get these errors… do you have any idea why?

16:14:18.341 Loading failed for the <script> with source “http://localhost:8080/index.js”. whole-jam:10282:1
16:14:18.592 [11ty][15:14:18.592 UTC] Connected reload-client.js:21:18
16:14:25.469 Navigated to http://localhost:8080/whole-jam/
16:14:25.575 [11ty][15:14:25.575 UTC] Reconnecting… reload-client.js:21:18
16:14:25.674 GEThttp://localhost:8080/index.js
[HTTP/1.1 404 Not Found 2ms]

16:14:25.779 Loading failed for the <script> with source “http://localhost:8080/index.js”. whole-jam:10282:1
16:14:25.984 [11ty][15:14:25.985 UTC] Connected reload-client.js:21:18

[murtuzaalisurti]

Hi @zachleat, even after manually installing version 1.0.4 (since the one bundled into eleventy is not up to date), I still get these errors… do you have any idea why?

16:14:18.341 Loading failed for the <script> with source “http://localhost:8080/index.js”. whole-jam:10282:1
16:14:18.592 [11ty][15:14:18.592 UTC] Connected reload-client.js:21:18
16:14:25.469 Navigated to http://localhost:8080/whole-jam/
16:14:25.575 [11ty][15:14:25.575 UTC] Reconnecting… reload-client.js:21:18
16:14:25.674 GEThttp://localhost:8080/index.js
[HTTP/1.1 404 Not Found 2ms]

16:14:25.779 Loading failed for the <script> with source “http://localhost:8080/index.js”. whole-jam:10282:1
16:14:25.984 [11ty][15:14:25.985 UTC] Connected reload-client.js:21:18

it should work now, the v1.0.4 is bundled with 11ty v2.0.1

[zachleat]

@murtuzaalisurti Can you use the showVersion dev server option to verify what dev server version is being used at run time? https://www.11ty.dev/docs/dev-server/#options

[murtuzaalisurti]

@zachleat yep, it's running v1.0.4

[zachleat]

@murtuzaalisurti can you test the repo above? it’s what I worked from to fix iirc https://github.com/rothsandro/repro.eleventy-404-csp Maybe I missed something!

[murtuzaalisurti]

@murtuzaalisurti can you test the repo above? it’s what I worked from to fix iirc https://github.com/rothsandro/repro.eleventy-404-csp Maybe I missed something!

@zachleat yeah, I was able to reproduce the error. It is evident in 11ty v2.0.0 which bundles 11ty dev server v1.0.3. No issues in v1.0.4 of 11ty dev server.

[zachleat]

great! can you upgrade to 2.0.1 and help report if the issue persists locally?

[murtuzaalisurti]

great! can you upgrade to 2.0.1 and help report if the issue persists locally?

no issues! works perfect.

[zachleat]

ah, hmm—I think we may need a new issue for yours then @murtuzaalisurti (sorry!)

[murtuzaalisurti]

@zachleat so, the expected behavior should be that 11ty v2.0.0 or any 11ty version prior to 2.0.1 should bundle 11ty dev server version 1.0.4 or the latest, right?

[zachleat]

For 2.0.0 from a fresh install, yes. There are additional complexities around pre-installed dependencies or npm cache using an already available version that meets the package.json requirements for 2.0.0. But installing 2.0.1 should guarantee @11ty/eleventy-dev-server 1.0.4+

https://github.com/11ty/eleventy/blob/v2.0.1/package.json#L99
https://github.com/11ty/eleventy/blob/v2.0.0/package.json#L99

[murtuzaalisurti]

@zachleat yep, you are right, I tried running 11ty on stackblitz with v2.0.0 and it bundles v1.0.4 of dev server! I might need to clear npm cache I guess.