Missing “script-src-attr” Content-Security-Policy #6168

DanWin · 2024-01-15T10:44:46Z

Describe the current behavior

When enabling CSP, the following issue is reported:
Content-Security-Policy: The page’s settings observed the loading of a resource at inline (“script-src-attr”). A CSP report is being sent.
Disabling report-only mode breaks the page.

Steps to reproduce

Install latest peertube 6.0.2
Enable CSP
Open the website and observe above error message

Describe the expected behavior

Enabling CSP should not break functionality. A script-src-attr policy should be added to achieve this, most likely it will need to allow "unsafe-inline".

Additional information

PeerTube instance:
- Version: 6.0.2
- NodeJS version: v21.5.0
Browser name, version and platforms on which you could reproduce the bug: Current Firefox and Chrome versions in Ubuntu

TNTBOMBOM · 2024-02-27T20:31:31Z

cc @Chocobozzz

Chocobozzz · 2024-02-28T07:31:30Z

Fixed by c753812

Chocobozzz added the Type: Bug 🐛 Confirmed bug, at least replicated once by another contributor label Feb 28, 2024

Chocobozzz closed this as completed Feb 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Missing “script-src-attr” Content-Security-Policy #6168

Missing “script-src-attr” Content-Security-Policy #6168

DanWin commented Jan 15, 2024 •

edited by Chocobozzz

TNTBOMBOM commented Feb 27, 2024

Chocobozzz commented Feb 28, 2024

Missing “script-src-attr” Content-Security-Policy #6168

Missing “script-src-attr” Content-Security-Policy #6168

Comments

DanWin commented Jan 15, 2024 • edited by Chocobozzz

Describe the current behavior

Steps to reproduce

Describe the expected behavior

Additional information

TNTBOMBOM commented Feb 27, 2024

Chocobozzz commented Feb 28, 2024

DanWin commented Jan 15, 2024 •

edited by Chocobozzz