Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--csp option doesn't work with noscript #1663

Closed
vkammerer opened this issue Jun 28, 2014 · 7 comments
Closed

--csp option doesn't work with noscript #1663

vkammerer opened this issue Jun 28, 2014 · 7 comments
Labels
Package: bundler

Comments

@vkammerer
Copy link

Packages that include a "noscript" attribute (like the "core-toolbar" and "core-field" packages) make vulcanize generate an inline "script" tag, even when the --csp option is used. This triggers errors when used in a chrome packaged app (and is obviously a bug since the point of --csp is to get rid of inline scripts).
I don't know if this should be fixed in the packages themselves or in vulcanize, so I just open this issue here.
@sachinhosmani
Copy link

I faced the exact same issue.

@toyoshim
Copy link

I may hit the same problem.
I built my Chrome Apps with polymer and vulcanize --csp, and it worked on Chrome 35.
But it looks like Chrome 36 reports csp violation as,

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

It does not point the right error place, as index.html:1, but I can reproduce the similar error with <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-eval'; style-src 'unsafe-inline"> even on web apps over the https.

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

This case, console shows that the error happens at polymer.js:13.

My Apps imports core-toolbar that vkammerer said it used noscript.

Do you know any workaround for this?

@ragingwind
Copy link
Contributor

Refer to @robdodson comment on Polymer/polymer#613 (comment)

@toyoshim
Copy link

Thanks, I'll track related issues.

FYI, I modified core-toolbar to have a dummy script and removed noscript attribute. It works for me as a quick workaround.

@yoavniran
Copy link

Thanks @toyoshim ! I was facing the same issue and adding the dummy script with removing the noscript attr solved it for me too.

@kevinpschaaf
Copy link
Member

Fixed by Polymer/polymer-bundler@e068dee. Using vulcanize --csp should result in no inline scripts injected at vulcanize-time or runtime due to noscript elements.

@ragingwind
Copy link
Contributor

👍

@aomarks aomarks transferred this issue from Polymer/polymer-bundler Jan 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Package: bundler
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@aomarks @ragingwind @toyoshim @yoavniran @vkammerer @kevinpschaaf @sachinhosmani