Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP blocking up.reload even with unsafe-eval #493

Closed
alexandremjacques opened this issue May 17, 2023 · 4 comments
Closed

CSP blocking up.reload even with unsafe-eval #493

alexandremjacques opened this issue May 17, 2023 · 4 comments
Labels
reproduction needed

Comments

@alexandremjacques
Copy link

Bug description

Whenever my links opens a new layer and uses the up-on-accepted directive, I'm receiving an error saying that CSP is not allowed to execute scripts:

Error: Your Content Security Policy disallows inline JavaScript (up.reload('#tasks-list')). See https://unpoly.com/csp for solutions.

I've set my server-side (Django app) to respond with headers specified in the docs:

SCR-20230517-hotu

Reproduction project

Can't reproduce in glitch.

Steps to reproduce the behavior:

  1. Create a link to a new layer with a up-on-accepted directive that reload contents:
<a href="<url>"
   up-layer="new"
   up-size="large"
   up-accept-location="/trips/*/details"
   up-on-accepted="up.reload('#trip-details')">
    <i class="ti ti-history icon"></i>
</a>
  1. Layer may contain a form that when submitted redirects user to the specified URL on up-accept-location
  2. Console shows the mentioned error.

Expected behavior

Should not throw error since CSP headers are set.

Browser version

  • OS: macOS
  • Browser Chrome

Additional context

I'm seeing this after upgrading from 2.7.7 to 3.1.1 (and an update to Django Framework)
@triskweline
Copy link
Contributor

When you're seeing the error, what is the value of up.browser.canEval()?

@alexandremjacques
Copy link
Author

It states false.

image

Same request:
image

@triskweline
Copy link
Contributor

That's curious. The function just tests if we can use eval() without an exception:

unpoly/src/unpoly/browser.js

Lines 63 to 72 in 78b1dc0

const canEval = u.memoize(function() {
try {
// Don't use eval() which would prevent minifiers from compressing local variables.
return new Function('return true')()
} catch {
// With a strict CSP this will be an error like:
// Uncaught EvalError: call to Function() blocked by CSP
return false
}
})

@alexandremjacques
Copy link
Author

alexandremjacques commented May 27, 2023
edited
Loading

I'll leave my solution for reference:

I had an unnoticed <meta http-equiv="Content-Security-Policy">, on my base template, with a CSP configuration that differed from what I was sending in the CSP headers.

Apparently, browsers give precedence to what is in the there over from what is comming in the CSP headers.

Removing the tag solved the problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
reproduction needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@triskweline @alexandremjacques