UserVoice Widget causing errors due to CSP #141

Closed
neocotic opened this Issue Apr 3, 2013 · 4 comments

Comments

Projects
None yet
1 participant
@neocotic
Member

neocotic commented Apr 3, 2013

Getting the following error in the console when loading the options page:

Refused to load the script 'https://by.uservoice.com/t/i/session.js?o=%2B01%3A00' because it violates the following Content Security Policy directive: "script-src 'self' https://ssl.google-analytics.com https://widget.uservoice.com".

I'm pretty sure changing the CSP in the manifest to the following should do the trick:

"script-src 'self' https://ssl.google-analytics.com https://*.uservoice.com; object-src 'self'"

This will need testing. It's not urgent as it's not currently affecting other functionality on the page (yet).

@ghost ghost assigned neocotic Apr 3, 2013

@neocotic

This comment has been minimized.

Show comment
Hide comment
@neocotic

neocotic Apr 4, 2013

Member

Also, it seems that UserVoice has changed their widget system. This will require some additional changes and should be done soon so we don't lose feedback support. Even though they are currently still supporting their old system, it's unlikely they will forever.

Member

neocotic commented Apr 4, 2013

Also, it seems that UserVoice has changed their widget system. This will require some additional changes and should be done soon so we don't lose feedback support. Even though they are currently still supporting their old system, it's unlikely they will forever.

neocotic added a commit that referenced this issue Apr 22, 2013

@neocotic neocotic referenced this issue Apr 22, 2013

Merged

Feedback fix #149

@neocotic

This comment has been minimized.

Show comment
Hide comment
@neocotic

neocotic Apr 22, 2013

Member

This issue has been fixed by #149 and will now be closed.

Member

neocotic commented Apr 22, 2013

This issue has been fixed by #149 and will now be closed.

@neocotic neocotic closed this Apr 22, 2013

@neocotic neocotic reopened this Apr 22, 2013

@neocotic

This comment has been minimized.

Show comment
Hide comment
@neocotic

neocotic Apr 22, 2013

Member

It appears this has not been fully resolved. For some reason, it works sometimes but not others. I'm hoping that adding 'unsafe-eval' to the CSP will fix this. Example of the error being seen;

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://ssl.google-analytics.com https://*.uservoice.com".
Member

neocotic commented Apr 22, 2013

It appears this has not been fully resolved. For some reason, it works sometimes but not others. I'm hoping that adding 'unsafe-eval' to the CSP will fix this. Example of the error being seen;

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://ssl.google-analytics.com https://*.uservoice.com".
@neocotic

This comment has been minimized.

Show comment
Hide comment
@neocotic

neocotic Apr 22, 2013

Member

CSP issue has now been fixed by PR #152.

Member

neocotic commented Apr 22, 2013

CSP issue has now been fixed by PR #152.

@neocotic neocotic closed this Apr 22, 2013

@neocotic neocotic added bug security and removed Error config labels Nov 15, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment