Content Security Policy error

Question

Content Security Policy error

emaborsa opened this issue 3 years ago · comments

I am using the library, locally with Webpack 5 and deployed on Azure App Services it works fine. Switching to NGINX and deploying to Google Cloud Run I get the following error:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

This is my NGINX security.conf:

# security headers
add_header X-Frame-Options         "SAMEORIGIN" always;
add_header X-XSS-Protection        "1; mode=block" always;
add_header X-Content-Type-Options  "nosniff" always;
add_header Referrer-Policy         "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'none';script-src 'self';style-src 'self' 'unsafe-inline'; img-src 'self' connect-src 'self' http://localhost:44331; frame-src 'self' https://localhost:44331; font-src 'self'" always;
add_header Strict-Transport-Security "max-age=31536000" always;

# . files
location ~ /\.(?!well-known) {
    deny all;
}

I suppose I have to add something to the Content-Security-Policy script-src, but what?

Jaaneek · Answer 1 · Fri Dec 24 2021 07:11:51 GMT+0800 (China Standard Time)

Hi, we believe that is not an error with our package since we are not using eval anywhere as this is very bad practice.

Are you sure this is happening because of our package?

Emaborsa · Answer 2 · Tue Jan 04 2022 21:48:14 GMT+0800 (China Standard Time)

Hi, give me some days, I will check it again.

MrKampla · Answer 3 · Sat Mar 05 2022 19:56:05 GMT+0800 (China Standard Time)

Hi @emaborsa, this issue is ongoing for almost three months, but we did not hear back from You. I'm closing this thread as we think the error You've described has nothing to do with our package.