Support Content Security Policies
ChristophB opened this issue · comments
- Minion version: 10.0
- Perl version: 5.20.2
- Operating system: Debian 8
Steps to reproduce the behavior
Set a Content-Security-Policy header like script-src 'self';
.
Expected behavior
Minion JS scripts should be executed by the browser.
Actual behavior
The browser refuses to execute inline scripts in minion/dashboard.html.ep
and layouts/minion.html.ep
.
Feature Request
- allow specification of nonce token used for inline script tags
- or move inline script tags into separate JS files
I'm not seeing any problems with Chrome, Firefox, Safari and Edge. Which browser are you referring to?
It happens to me in Chrome, Edge and Opera.
I get the following errors in the browser console:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-<nonce-token>' 'unsafe-eval'".
Either the 'unsafe-inline' keyword, a hash ('sha256-eTNeYPL/SYISrqGh2NIwa4AvEW6t7UxO3jPechjijFE='), or a nonce ('nonce-...') is required to enable inline execution.
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-<nonce-token>' 'unsafe-eval'".
Either the 'unsafe-inline' keyword, a hash ('sha256-Chlzz1cxGvHFIiw/mqDWMg9L5HqwdegP+fJTsLTibhc='), or a nonce ('nonce-...') is required to enable inline execution.
Both errors refer to the following <script> tags:
Of course i could add the displayed hashes to the CSP directive, but they must be updated whenever the <script> tags change.
I cannot replicate those findings, it works perfectly for me as is.
I could reproduce the behavior with the following Mojolicious lite app:
use Mojolicious::Lite;
hook after_dispatch => sub {
shift->res->headers->content_security_policy("script-src 'self';");
};
plugin Minion => { Pg => 'postgresql://db_user:db_pass@db/test' };
plugin 'Minion::Admin';
app->start;
Here is a ZIP archive, which contains the app.pl
file as well as a Dockerfile
and docker-compose.yml
file to build the Docker container i used for this example: minion-issue-89.zip
Just run docker-compose up
and navigate to http://localhost:3000/minion.
Ah, you're breaking it yourself, now i get it. Guess that makes this a "wontfix".