Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Firefox add-on needs 'unsafe-eval' in CSP header
See original GitHub issueThe Firefox version is not able to detect Ember application if the server sends the Content Security Policy header without 'unsafe-eval' in the script-src directive.
In the Console I get this Security-Error:
09:25:50.243 Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://zeit"). content-script.js:58:0
the path of content-script.js seems to be:
view-source:resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/loader/sandbox.js -> resource://ember-inspector-at-emberjs-dot-com/ember-inspector/data/content-script.js
and the CSP report Firefox sends to my server:
{
"csp-report": {
"blocked-uri": "self",
"document-uri": "https://zeit/",
"line-number": 58,
"original-policy": "default-src 'none'; script-src https://zeit; style-src https://zeit; img-src https://zeit; connect-src https://zeit; form-action https://zeit; font-src https://zeit; base-uri https://zeit; report-uri https://zeit/api/csp_report",
"referrer": "",
"script-sample": "call to eval() or related function blocked by CSP",
"source-file": "resource://gre/modules/commonjs/toolkit/loader.js%20-%3E%20resource://gre/modules/commonjs/sdk/loader/sandbox.js%20-%3E%20resource://ember-inspector-at-emberjs-dot-com/ember-inspector/data/content-script.js",
"violated-directive": "script-src https://zeit"
}
}
I also get a Logging-Error (that’s probably caused by the first error):
09:25:50.246 ember-inspector:Object { } sandbox.js:334
view-source:resource://gre/modules/commonjs/sdk/content/sandbox.js
Issue Analytics
- State:
- Created 8 years ago
- Reactions:2
- Comments:5 (4 by maintainers)
Top Results From Across the Web
Content Security Policy - Mozilla - MDN Web Docs
A website specifies a CSP using an HTTP header sent from the server. ... Extensions wishing to use WebAssembly require 'wasm-unsafe-eval' to ...
Read more >CSP: script-src - HTTP - MDN Web Docs - Mozilla
The 'unsafe-eval' source expression controls several script execution methods that create code from strings. If a page has a CSP header and ...
Read more >Enabling CSP causes add-ons to receive rejection notices
The issue is that Firefox is reporting a violation of the content-security-policy on the page because it is also analysing background add-ons. Firefox...
Read more >Ignoring “'unsafe-inline'” within script-src: 'strict-dynamic' ...
I have specified header. header("Content-Security-Policy: default-src * 'unsafe-inline' 'unsafe-eval';"); ?> Why Firefox is still showing me ...
Read more >content_security_policy - Mozilla - MDN Web Docs
Note: Valid examples demonstrate the correct use of keys in CSP. However, extensions with 'unsafe-eval', remote script, blob, or remote sources ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Think I’m seeing the same security-error if Firefox, no issue in Chrome.
I believe this is no longer an issue, since some of the changes we have merged in. If anyone is still experiencing this, please feel free to reopen!