Lucky bug reporting conflicts with user Content-Security-Policy #1324
Labels
feature request
A new requested feature / option
Comments
|
You're referring to the error page that shows up, right? Where you can expand the error details and all that? We currently use https://github.com/crystal-loot/exception_page for that page. We may need to consider using a forked version depending on what the best solution is 🤔 |
|
Will file with @Sija, let's continue to track here. |
|
Filed as crystal-loot/exception_page#17 |
|
We still need a general mechanism to set the nonce in Lucky, not in every shard that Lucky uses that needs it. |
jwoertink
added
feature request
5 tasks
|
This is fixed already |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When Lucky reports an exception to the developer, it uses inline javascript. If the user has set a restrictive Content-Security-Policy, this is rejected. Solution: provide a way, per request, for the user to set a nonce, or for Lucky to generate a nonce for the user using Random::Secure.base64. Add the nonce to the
<script>tag, as in<script nonce="...">.In a separate issue I will discuss how to implement a content-security-policy facility in Lucky.
The text was updated successfully, but these errors were encountered: