Contrib.social

Script violates Content Security Policy rules.

Open on Drupal.org β†’
Created on 10 April 2024, 8 months ago
Updated 30 April 2024, 7 months ago

Problem/Motivation

I have installed the CSP module on a website that has Editoria11y installed. The CSP is running in Report only mode. I figured out how to configure the CSP style-src-elem so that inline styles will be allowed as per Issue 3388093. However, I am also getting a report that the module's javascript violates the script-src rule because unsafe-eval is not allowed.

The specific report message from the browser console is:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://www.googletagmanager.com cdn.jsdelivr.net https://cdnjs.cloudflare.com https://polyfill.io".

According to the report, the line in the JavaScript causing the problem is:

window.setTimeout(Ed11y.alignTip(this.toggle, this.tip)),

I'm not entirely sure why this line would be a problem since the argument for the setTimeout is not a string, but that's the report I'm receiving.

The report does not appear on the console when a page with Editoria11y active is first loaded. Nor does it happen immediately when you click on the Editoria11y widget in the lower right corner of the window. It only happens when you hover over a marker in the page identifying a potential a11y issue in the page.

I am testing my CSP in Drupal 10.2.5 with Editoria11y 2.1.9.

πŸ› Bug report
Status

Fixed

Version

2.1

Component

Conflicts with other modules

Created by

πŸ‡ΊπŸ‡ΈUnited States aaronpinero

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024