Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CSP "script-src" errors in Firefox #2408

merged 2 commits into from Feb 26, 2019


None yet
4 participants
Copy link

commented Feb 22, 2019

Hi guys!

I'm trying to get a bundle js file with web3@1.0.0-beta.46 packed into it into a page but the only thing I'm seeing is:

Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).

It happens only on Firefox. Tested on FF v65.0.1, Chrome and Safari. Here are CSP settings I'm using:

default-src *; script-src 'self'; object-src 'none'; style-src 'self';

Created a quick demo that shows the issue I'm seeing:

Apparently in this case Firefox does not care about try…catch block around new Function('return this')(). As soon as it hits new Function(…) it fails.

In this PR I address this issue. Let me know if you have any suggestions! It's my first PR here. Go easy on me! ;)


Type of change

  • Bug fix


  • I have selected the correct base branch.
  • I have performed a self-review of my own code.
  • I have commented my code, particularly in hard-to-understand areas.
  • I have made corresponding changes to the documentation.
  • My changes generate no warnings.
  • I have updated or added types for all modules I've changed
  • Any dependent changes have been merged and published in downstream modules.
  • I ran npm run test in the root folder with success and extended the tests if necessary.
  • I ran npm run build in the root folder and tested it in the browser and with node.
  • I ran npm run dtslint in the root folder and tested that all my types are correct
  • I have tested my code on the live network.
Fix CSP errors in Firefox
`script-src ‘self’` blocks loading of web3.js lib.
Tested on Chrome, Safari and FF and it’s only
Firefox that gets blocked by it.

This comment has been minimized.

Copy link

commented Feb 22, 2019

Coverage Status

Coverage increased (+0.07%) to 93.251% when pulling 5b4b76d on mondoreale:1.0-csp-firefox-fix into 7ff4d8c on ethereum:1.0.

@mondoreale mondoreale changed the title Fix CSP errors in Firefox Fix CSP "script-src" errors in Firefox Feb 22, 2019

@nivida nivida added the enhancement label Feb 22, 2019


nivida approved these changes Feb 26, 2019

@nivida nivida merged commit 95cc939 into ethereum:1.0 Feb 26, 2019

1 check was pending

continuous-integration/travis-ci/pr The Travis CI build is in progress

This comment has been minimized.

Copy link

commented Feb 27, 2019

@nivida Any chance to get a new beta release out soon which includes this fix?

@mondoreale mondoreale deleted the mondoreale:1.0-csp-firefox-fix branch Mar 11, 2019

@hpihkala hpihkala referenced this pull request Mar 11, 2019


bump web3 to 1.0.0-beta.48 #40

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.