Plugin causes CSP (Content Security Policy) violations, cannot use CSP block and ID-card signing functionality at the same time #158
Comments
The extension needs to inject the TokenSigning function so that we don't break the implementation on existing websites. The requirement would be that the script tag which loads the page.js code needs to have a <script src="path-to/page.js" data-name="TokenSigning"></script> |
Thanks for the info! If that works, fine by me. |
Signed-off-by: Tanel Metsar <tanel.metsar@cgi.com>
Hi, thank you for this workaround @taneltm. Hope that your pull gets merged soon as adding page.js file works in chrome without any errors, but still triggers errors in Firefox and Safari. At least functionality is now working and ID-card is still usable |
We could not reproduce the problem: signing with ID-card in Firefox was successful in Windows and macOS.
Has the citizenos.com website been changed meanwhile? |
@kinomehhaanik we used the suggestion from @taneltm and copied the https://github.com/open-eid/chrome-token-signing/blob/master/extension/page.js into our own code, this allows the id plugin to work properly. I hope you can accept his pull and merge it into next release as it is a good way to get this plugin working on pages with CSP. |
Safari Token Signing Signed-off-by: Raul Metsma <raul@metsma.ee>
Signed-off-by: Tanel Metsar <tanel.metsar@cgi.com>
Safari Token Signing Signed-off-by: Raul Metsma <raul@metsma.ee>
Signed-off-by: Märt Bakhoff <mbakhoff@sigil.red>
Problem
A website wanting to support ID-card signing cannot use CSP to block on policy violations because Token Signing plugin will not work if the CSP is set to block.
Example:
Reproduce
Fix?
eval()
directly or indirectly - https://github.com/open-eid/chrome-token-signing/blob/master/extension/content.js#L52Resources
The text was updated successfully, but these errors were encountered: