Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UserVoice Widget causing errors due to CSP #141

Closed
neocotic opened this issue Apr 3, 2013 · 4 comments
Closed

UserVoice Widget causing errors due to CSP #141

neocotic opened this issue Apr 3, 2013 · 4 comments
Assignees
Milestone

Comments

@neocotic
Copy link
Member

neocotic commented Apr 3, 2013

Getting the following error in the console when loading the options page:

Refused to load the script 'https://by.uservoice.com/t/i/session.js?o=%2B01%3A00' because it violates the following Content Security Policy directive: "script-src 'self' https://ssl.google-analytics.com https://widget.uservoice.com".

I'm pretty sure changing the CSP in the manifest to the following should do the trick:

"script-src 'self' https://ssl.google-analytics.com https://*.uservoice.com; object-src 'self'"

This will need testing. It's not urgent as it's not currently affecting other functionality on the page (yet).

@ghost ghost assigned neocotic Apr 3, 2013
@neocotic
Copy link
Member Author

neocotic commented Apr 4, 2013

Also, it seems that UserVoice has changed their widget system. This will require some additional changes and should be done soon so we don't lose feedback support. Even though they are currently still supporting their old system, it's unlikely they will forever.

@neocotic
Copy link
Member Author

This issue has been fixed by #149 and will now be closed.

@neocotic neocotic reopened this Apr 22, 2013
@neocotic
Copy link
Member Author

It appears this has not been fully resolved. For some reason, it works sometimes but not others. I'm hoping that adding 'unsafe-eval' to the CSP will fix this. Example of the error being seen;

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://ssl.google-analytics.com https://*.uservoice.com".

@neocotic
Copy link
Member Author

CSP issue has now been fixed by PR #152.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant