Giters

mojolicious / minion

:octopus: Perl high performance job queue

Home Page:https://metacpan.org/release/Minion

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Support Content Security Policies

ChristophB opened this issue · comments

commented
  • Minion version: 10.0
  • Perl version: 5.20.2
  • Operating system: Debian 8

Steps to reproduce the behavior

Set a Content-Security-Policy header like script-src 'self';.

Expected behavior

Minion JS scripts should be executed by the browser.

Actual behavior

The browser refuses to execute inline scripts in minion/dashboard.html.ep and layouts/minion.html.ep.

Feature Request

  • allow specification of nonce token used for inline script tags
  • or move inline script tags into separate JS files
commented

I'm not seeing any problems with Chrome, Firefox, Safari and Edge. Which browser are you referring to?

commented

It happens to me in Chrome, Edge and Opera.

I get the following errors in the browser console:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-<nonce-token>' 'unsafe-eval'".
Either the 'unsafe-inline' keyword, a hash ('sha256-eTNeYPL/SYISrqGh2NIwa4AvEW6t7UxO3jPechjijFE='), or a nonce ('nonce-...') is required to enable inline execution.

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-<nonce-token>' 'unsafe-eval'".
Either the 'unsafe-inline' keyword, a hash ('sha256-Chlzz1cxGvHFIiw/mqDWMg9L5HqwdegP+fJTsLTibhc='), or a nonce ('nonce-...') is required to enable inline execution.

Both errors refer to the following <script> tags:

minion/lib/Mojolicious/Plugin/Minion/resources/templates/minion/dashboard.html.ep

Line 4 in 3fd1014

<script>

minion/lib/Mojolicious/Plugin/Minion/resources/templates/layouts/minion.html.ep

Line 16 in 74322c0

<script>

Of course i could add the displayed hashes to the CSP directive, but they must be updated whenever the <script> tags change.

commented

I cannot replicate those findings, it works perfectly for me as is.

commented

I could reproduce the behavior with the following Mojolicious lite app:

use Mojolicious::Lite;

hook after_dispatch => sub {
    shift->res->headers->content_security_policy("script-src 'self';");
};

plugin Minion => { Pg => 'postgresql://db_user:db_pass@db/test' };
plugin 'Minion::Admin';

app->start;

Here is a ZIP archive, which contains the app.pl file as well as a Dockerfile and docker-compose.yml file to build the Docker container i used for this example: minion-issue-89.zip

Just run docker-compose up and navigate to http://localhost:3000/minion.

commented

Ah, you're breaking it yourself, now i get it. Guess that makes this a "wontfix".