New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https:". #31298
Comments
Can you try switching to use webpacker master version in your Gemfile?
|
@guilleiguaran this gives me the same error. Nothing changed |
@psantos10 sorry, looks like that fix won't work until we release a new version of webpacker package to npm, for now you can change the // config/webpack/development.js
const environment = require('./environment')
const webpackConfig = environment.toWebpackConfig()
webpackConfig.devtool = 'cheap-module-source-map'
module.exports = webpackConfig |
@guilleiguaran problem not solved... Still giving the same error, but this time several times:
|
That's a progress, now that webpack isn't emitting source maps with JS Let's examine the errors:
Ok, looks like the better option, for now, is allow if Rails.env.development?
p.script_src :self, :https, :unsafe_eval
p.connect_src :self, :https, 'http://localhost:3035'
else
p.script_src :self, :https
end Sorry about the issue, we just introduced CSP DSL and we have to update Webpacker code/guides to play nicer with those new Rails settings. For more details about CSP see this PR and discussion: #31162 I'm going to close this issue since this is something we should handle better in Webpacker side. |
@guilleiguaran I think it also needs |
@adrianpacala that is good to know |
/cc @pixeltrix you might be interested in this thread |
Also, when The full snippet should look like this: if Rails.env.development?
p.connect_src :self, :https, 'http://localhost:3035'
p.script_src :self, :https, :unsafe_eval, :unsafe_inline
else
p.script_src :self, :https
end |
@adrianpacala thanks again, maybe the Edit: a better option for this is using nonce |
Those issues seem relevant: #29260 rails/web-console#242 |
This solved the problem... no more errors in the console:
Thanks |
Closing this in favor of rails/webpacker#1057 |
Be careful with this config @psantos10, as you allow more things in dev than in production, you might end up with some code (using |
Steps to reproduce
I create 2 demo Rails apps. One using Rails 5.1.4:
and the second with Rails 5.2.0.beta2
For both, I created a
Procfile.dev
with the following content:And I start the server with
foreman
:Add the line
<%= javascript_pack_tag 'application' %>
in the head section and change theapps/javascript/packs/application.js
like this:Expected behavior
Was expecting both to work, but only the app with Rails 5.1.4 is working.
Actual behavior
The App with Rails 5.2.0.beta2 gives me the following error on the console:
System configuration
Rails version: 5.1.4 (Working fine);
Rails version: 5.2.0.beta2 (Showing the problem);
Ruby version: 2.4.2
The text was updated successfully, but these errors were encountered: