New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UserVoice Widget causing errors due to CSP #141

Closed
neocotic opened this Issue Apr 3, 2013 · 4 comments

Comments

Projects
None yet
1 participant
@neocotic
Member

neocotic commented Apr 3, 2013

Getting the following error in the console when loading the options page:

Refused to load the script 'https://by.uservoice.com/t/i/session.js?o=%2B01%3A00' because it violates the following Content Security Policy directive: "script-src 'self' https://ssl.google-analytics.com https://widget.uservoice.com".

I'm pretty sure changing the CSP in the manifest to the following should do the trick:

"script-src 'self' https://ssl.google-analytics.com https://*.uservoice.com; object-src 'self'"

This will need testing. It's not urgent as it's not currently affecting other functionality on the page (yet).

@ghost ghost assigned neocotic Apr 3, 2013

@neocotic

This comment has been minimized.

Member

neocotic commented Apr 4, 2013

Also, it seems that UserVoice has changed their widget system. This will require some additional changes and should be done soon so we don't lose feedback support. Even though they are currently still supporting their old system, it's unlikely they will forever.

@neocotic neocotic referenced this issue Apr 22, 2013

Merged

Feedback fix #149

@neocotic

This comment has been minimized.

Member

neocotic commented Apr 22, 2013

This issue has been fixed by #149 and will now be closed.

@neocotic neocotic closed this Apr 22, 2013

@neocotic neocotic reopened this Apr 22, 2013

@neocotic

This comment has been minimized.

Member

neocotic commented Apr 22, 2013

It appears this has not been fully resolved. For some reason, it works sometimes but not others. I'm hoping that adding 'unsafe-eval' to the CSP will fix this. Example of the error being seen;

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://ssl.google-analytics.com https://*.uservoice.com".
@neocotic

This comment has been minimized.

Member

neocotic commented Apr 22, 2013

CSP issue has now been fixed by PR #152.

@neocotic neocotic closed this Apr 22, 2013

@neocotic neocotic added bug security and removed Error config labels Nov 15, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment