[Bug] CSP error

[MatthieuF44]

[ x ] I've tryied to disable every other scripts
[ x ] I've updated the Browser
[ x ] I've updated Tampermonkey/GreaceMonkey
[ x ] I've updated the script to the latest

Describe the bug
When i tried to use STS script, script said that the request is send but in discord app we can't found it. After many test i observed that there is an error with the content security policy.

In the console of developer tool, we obtain this error :
Refused to connect to https://discord.com/api/[REDACTED]/slack' because it violates the following Content Security Policy directive: "connect-src 'self' editor-assets.waze.com www.google-analytics.com storage.googleapis.com maps.googleapis.com www.googleapis.com stats.g.doubleclick.net clouderrorreporting.googleapis.com sheets.googleapis.com docs.google.com tigerweb.geo.census.gov services.arcgis.com"

Desktop (please complete the following information):

• OS: Windows 11
• Browser: Chrome
• Version: 104.0.5112.81
• TamperMonkey

Additional context
For solving this issue temporary, I've set Modify existing content security policy (CSP) headers to Remove entirely (possibly unsecure)

[tunisiano187]

2022.08.15.01 shloud solve the problem

[MatthieuF44]

Hi,

I already test the line "@connect discord.com" but it doesn't work.

Kind regards.

[ordonezgs]

Related to CSP Policy.

The current Waze CSP Policy can contact SpreadSheets, but not Discord, Slack, Telegram and so On...

We Will have to add a @connect per service missing or not complying with CSP Policy.

WME-send-to-slack/WME-send-to-slack.user.js

Lines 192 to 226 in cc42226

	//Trying to make Beta vs. Prod. Compatibility - HTTP
	if (location.host == "beta.waze.com"){
	await makeHTTPRequest('GET', cons_connect_one + sheetName + cons_connect_two)
	.then( function(response) {
	$.each( response.values, function( key, val ) {
	if (!(Array.isArray(val) && val.length)) {
	translationsInfo.push("Not Translated")
	} else {
	translationsInfo.push(val)
	}
	});
	statusSheetsCallback = true;
	log("Tampermonkey HTTP succeeded");
	} )
	.catch(function(response){
	log( "Tampermonkey HTTP failed!" );
	console.log(response)
	});
	}else{
	await $.get(cons_connect_one + i18n + cons_connect_two)
	.then( function(data) {
	$.each( data.values, function( key, val ) {
	if (!(Array.isArray(val) && val.length)) {
	translationsInfo.push("Not Translated")
	} else {
	translationsInfo.push(val)
	}
	});
	statusSheetsCallback = true;
	log("$.get succeeded");
	} )
	.catch( function() {
	log( "$.get failed!" );
	} );
	}

[ordonezgs]

Actually, reviewing it, the previous shared code it's OK.

We just have to replace the AJAX with await MakeHTTPRequest() and with this parameters. So we also will need to adjust the MakeHTTPRequest() to be able to make a POST request:

WME-send-to-slack/WME-send-to-slack.user.js

Lines 521 to 536 in cc42226

	$.ajax({
	data: 'payload=' + JSON.stringify({
	"text": TextToSend,
	"username": ScriptName + " " + GM_info.script.version,
	"mrkdwn": true,
	"channel": serverDB[localStorage.getItem('WMESTSServer')][key]["chanel_" + chanel],
	"icon_emoji": actionicon
	}),
	processData: false,
	type: 'POST',
	url: serverDB[localStorage.getItem('WMESTSServer')][key][chanel],
	error: function(x, y, z)
	{
	log('Slack error : ' + x + ' ' + y + ' ' + z);
	}
	});

and this

WME-send-to-slack/WME-send-to-slack.user.js

Lines 555 to 574 in cc42226

	$.ajax({
	data: 'payload=' + JSON.stringify({
	"attachments": [{
	"text": TextToSend.replace(discrordreplacefrom, function(matched) {
	return discrordreplaceto[matched]
	})
	}],
	"username": ScriptName + " " + GM_info.script.version,
	"mrkdwn": true,
	"channel": serverDB[localStorage.getItem('WMESTSServer')][key]["chanel_" + chanel],
	"icon_emoji": actionicon
	}),
	processData: false,
	type: 'POST',
	url: serverDB[localStorage.getItem('WMESTSServer')][key][chanel],
	error: function(x, y, z)
	{
	log('Discord error : ' + x + ' ' + y + ' ' + z);
	}
	});

even

WME-send-to-slack/WME-send-to-slack.user.js

Lines 597 to 606 in cc42226

	$.ajax({
	url: serverDB[localStorage.getItem('WMESTSServer')][key]['url'],
	data: datas,
	type : "POST",
	dataType: "xml",
	error: function(x, y, z)
	{
	log(x + ' ' + y + ' ' + z);
	}
	});

and finally

WME-send-to-slack/WME-send-to-slack.user.js

Lines 616 to 624 in cc42226

	$.ajax({
	data: dataTelegram,
	type: 'POST',
	url: serverDB['DEVns_en'][key]['editing'],
	error: function(x, y, z)
	{
	log('Telegram error : ' + x + ' ' + y + ' ' + z);
	}
	});

This requires further dev, and implementation. Sorry, this will take time.

[ordonezgs]

Required @connect will be:

@connect slack.com
@connect discordapp.com
@connect discord.com
@connect telegram.org
@connect google.com

This will be for Google Forms, Slack, Discord and Telegram

[ordonezgs]

I have sent a request to Staff to modify their current CSP Policy to add:

discordapp.com
discord.com
api.telegram.org
hooks.slack.com

Let's wait for them before having to use the await MakeHTTPRequest() function.

[ordonezgs]

This issue is in Prod, lets wait for Staff until making the required changes.

[ordonezgs]

Staff Response:

We are happy to let you know that ith the WME beta release of v 2.126, we've released other whitelisted domains that you asked for.
Please note these are currently available in beta and will reach production once v2.126 reaches production.

[stale]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

[stale]

This issue has been automatically closed because it has not had any comments for a while, feel free to reopen it if needed