Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Violating Content Security Policy #4

Closed
donaldpipowitch opened this issue Sep 2, 2014 · 3 comments

Comments

Projects
None yet
4 participants
@donaldpipowitch
Copy link

commented Sep 2, 2014

Calling require('lodash') on GitHub results in:

require('lodash')
Fetching lodash... just one second requirify-browser.js:1
Refused to connect to 'https://evening-chamber-1845.herokuapp.com/lodash/lodash' because it violates the following Content Security Policy directive: "connect-src 'self' ghconduit.com:25035 live.github.com uploads.github.com s3.amazonaws.com".
 requirify-browser.js:1
Uncaught DOMException: Failed to execute 'open' on 'XMLHttpRequest': Refused to connect to 'https://evening-chamber-1845.herokuapp.com/lodash/lodash' because it violates the document's Content Security Policy. 
@outsideris

This comment has been minimized.

Copy link

commented Sep 14, 2014

@MethodGrab

This comment has been minimized.

Copy link

commented Oct 16, 2014

GitHub's Content Security Policy header blocks script loading from non-whitelisted domains, I don't think there is much that can be done to work around it.

GitHub Blog: CSP
Stackoverflow: Content Security Policy for extensions and bookmarklets

Content-Security-Policy:
default-src *;
script-src assets-cdn.github.com collector-cdn.github.com;
object-src assets-cdn.github.com;
style-src 'self' 'unsafe-inline' 'unsafe-eval' assets-cdn.github.com;
img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.githubusercontent.com *.gravatar.com *.wp.com;
media-src 'none';
frame-src 'self' render.githubusercontent.com gist.github.com www.youtube.com player.vimeo.com checkout.paypal.com;
font-src assets-cdn.github.com;
connect-src 'self' ghconduit.com:25035 live.github.com uploads.github.com www.google-analytics.com s3.amazonaws.com
@mathisonian

This comment has been minimized.

Copy link
Owner

commented Jun 26, 2015

Added https in df83ea9, but still doesn't work for the issue @MethodGrab pointed out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.