Content Security Policy error
emaborsa opened this issue · comments
Emaborsa commented
I am using the library, locally with Webpack 5 and deployed on Azure App Services it works fine. Switching to NGINX and deploying to Google Cloud Run I get the following error:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
This is my NGINX security.conf
:
# security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'none';script-src 'self';style-src 'self' 'unsafe-inline'; img-src 'self' connect-src 'self' http://localhost:44331; frame-src 'self' https://localhost:44331; font-src 'self'" always;
add_header Strict-Transport-Security "max-age=31536000" always;
# . files
location ~ /\.(?!well-known) {
deny all;
}
I suppose I have to add something to the Content-Security-Policy
script-src
, but what?
Jaaneek commented
Hi, we believe that is not an error with our package since we are not using eval anywhere as this is very bad practice.
Are you sure this is happening because of our package?
Emaborsa commented
Hi, give me some days, I will check it again.