Got this started in a branch, but still chasing down a CSP violation report. Everything on the site seems to work, but I can't figure out where this report is coming from. I have a hunch that it's mustache templates, which we don't pre-compile and thus invoke eval at runtime.

{
  "csp-report": {
    "line-number": 1,
    "blocked-uri": "self",
    "document-uri": "http:\/\/testpilot.dev:8000\/experiments\/universal-search",
    "script-sample": ";(function installGlobalHook(window) {\n\t...",
    "referrer": "",
    "source-file": "http:\/\/testpilot.dev:8000\/experiments\/universal-search",
    "original-policy": "img-src http:\/\/testpilot.dev:8000 http:\/\/*.mozilla.net https:\/\/*.mozilla.net http:\/\/*.mozilla.org https:\/\/*.mozilla.org http:\/\/*.gravatar.com https:\/\/*.gravatar.com http:\/\/*.google-analytics.com https:\/\/*.google-analytics.com https:\/\/ssl.gstatic.com\/; default-src http:\/\/testpilot.dev:8000; font-src http:\/\/testpilot.dev:8000 http:\/\/*.mozilla.net https:\/\/*.mozilla.net http:\/\/*.mozilla.org https:\/\/*.mozilla.org; style-src http:\/\/testpilot.dev:8000 'unsafe-inline' http:\/\/*.mozilla.org https:\/\/*.mozilla.org http:\/\/*.mozilla.net https:\/\/*.mozilla.net; script-src http:\/\/testpilot.dev:8000 'unsafe-eval' http:\/\/*.mozilla.org https:\/\/*.mozilla.org http:\/\/*.mozilla.net https:\/\/*.mozilla.net http:\/\/*.google-analytics.com https:\/\/*.google-analytics.com https:\/\/apis.google.com; report-uri http:\/\/testpilot.dev:8000\/__cspreport__",
    "violated-directive": "script-src http:\/\/testpilot.dev:8000 'unsafe-eval' http:\/\/*.mozilla.org https:\/\/*.mozilla.org http:\/\/*.mozilla.net https:\/\/*.mozilla.net http:\/\/*.google-analytics.com https:\/\/*.google-analytics.com https:\/\/apis.google.com"
  }
}

But if anyone has a better CSP hunch here, it would be welcome :)

Implement Content Security Policy #882

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions