Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wproofreader require unsafe-inline and unsafe-eval to work (CSP) #19

Closed
mlewand opened this issue Sep 11, 2019 · 7 comments
Closed

Wproofreader require unsafe-inline and unsafe-eval to work (CSP) #19

mlewand opened this issue Sep 11, 2019 · 7 comments
Assignees
Milestone

Comments

@mlewand
Copy link

@mlewand mlewand commented Sep 11, 2019

It would be great if Wproofreader didn't require 'unsafe-inline' 'unsafe-eval' content security policy settings.

Without above settings you get following errors:

  • No unsafe-eval:
     wscbundle.js:38 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://svc.webspellchecker.net".
    
     	at new Function (<anonymous>)
     	at f (wscbundle.js:38)
     	at f (wscbundle.js:38)
     	at Object.render (wscbundle.js:38)
     	at b.value [as _original_render] (wscbundle.js:42)
     	at b.render (wscbundle.js:43)
     	at Object.render (wscbundle.js:45)
     	at d.buildElement (wscbundle.js:45)
     	at d.init (wscbundle.js:45)
     	at wscbundle.js:36
    
  • no unsafe-inline:
     Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://svc.webspellchecker.net". Either the 'unsafe-inline' keyword, a hash ('sha256-4YQgZ2iWooOAGOb+ToWyEAxGEEWI3YiEPXDjCdzRx6Q='), or a nonce ('nonce-...') is required to enable inline execution.
    
@mlewand mlewand changed the title CSP Wproofreader require unsafe-inline and unsafe-eval to work Wproofreader require unsafe-inline and unsafe-eval to work (CSP) Sep 11, 2019
@jalners

This comment has been minimized.

Copy link
Member

@jalners jalners commented Sep 12, 2019

We investigated issues with Content Security Policy.

  1. No unsafe-eval - we use new Function in our template engine. Unfortunately, we do not plan to redo it in the near future. If we do it, it will take us too much time to change all our templates and UI. We have already added it to our backlog to make sure this one is not lost. As soon as our priorities change and the most critical work is done, we will return to this one. As for now, you need to add unsafe-eval.
  2. No unsafe-inline - you have two options here:
    • You can create a *.js file for WEBSPELLCHECKER_CONFIG (e.g. wscbundle_config.js) and then load it from the file on your web page.
    • You can initialize wscbundle.js using inline data attributes:
<script
   data-wsc-serviceid="your-service-ID"
   data-wsc-autosearch="true"
   src="https://svc.webspellchecker.net/spellcheck31/wscbundle/wscbundle.js">
 </script>
@mlewand

This comment has been minimized.

Copy link
Author

@mlewand mlewand commented Sep 13, 2019

Your solution for unsafe-inline works like a charm. So the only thing open is the unsafe-eval policy 🤞

@jalners

This comment has been minimized.

Copy link
Member

@jalners jalners commented Sep 13, 2019

Thank you for confirming that our recommendations for unsafe-inline worked for you well.

And we have good news for you regarding unsafe-eval. Yesterday, we conducted a small investigation and it appeared that the fix will not take a lot as we thought initially. It would take us an additional time for testing but we expect it will be live soon (approximately mid of October).

@mlewand

This comment has been minimized.

Copy link
Author

@mlewand mlewand commented Sep 13, 2019

Great news! I'll keep an eye on the issue. I'm sure this will allow more people/companies to use Wproofreader.

@jshaptala

This comment has been minimized.

Copy link
Member

@jshaptala jshaptala commented Nov 20, 2019

@mlewand the fix for this issue was released last week, on Nov 14, 2019.
Could you please recheck if you are not having issues with content security policy when using WProofreader?

@jshaptala

This comment has been minimized.

Copy link
Member

@jshaptala jshaptala commented Nov 25, 2019

@mlewand Did you have to take a look and check our fix?

@mlewand

This comment has been minimized.

Copy link
Author

@mlewand mlewand commented Nov 27, 2019

Hey @jshaptala @jalners I can confirm that unsafe-eval is no longer required, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.