Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

vendor.bundle.js violates Content Security Policy directive trusted-types

See original GitHub issue

When using lighthouse on a website that enforces a Content Security Policy (CSP) that includes the trusted-type directive as follows:

content-security-policy: trusted-types; require-trusted-types-for 'script'

the following error is show in Chrome’s console:

Refused to create a TrustedTypePolicy named 'dompurify' because it violates the following Content Security Policy directive: "trusted-types ".
W @ vendor.bundle.js:163
e @ vendor.bundle.js:163
(anonymous) @ vendor.bundle.js:163
31699 @ vendor.bundle.js:163
r @ content.bundle.js:62
17605 @ content.bundle.js:31
r @ content.bundle.js:62
48269 @ content.bundle.js:1
r @ content.bundle.js:62
(anonymous) @ content.bundle.js:62
r.O @ content.bundle.js:62
(anonymous) @ content.bundle.js:62
(anonymous) @ content.bundle.js:62
vendor.bundle.js:163 TrustedTypes policy dompurify could not be created.
W @ vendor.bundle.js:163
e @ vendor.bundle.js:163
(anonymous) @ vendor.bundle.js:163
31699 @ vendor.bundle.js:163
r @ content.bundle.js:62
17605 @ content.bundle.js:31
r @ content.bundle.js:62
48269 @ content.bundle.js:1
r @ content.bundle.js:62
(anonymous) @ content.bundle.js:62
r.O @ content.bundle.js:62
(anonymous) @ content.bundle.js:62
(anonymous) @ content.bundle.js:62

Issue Analytics

State:
Created 2 years ago
Comments:12 (5 by maintainers)

Top GitHub Comments

1reaction

jplejacq-quoininc-comcommented, Nov 18, 2021

@dylanb , I created issue https://github.com/dequelabs/axe-core/issues/3301

0reactions

dylanbcommented, Nov 19, 2021

@paulirish we have recently moved axe-core into a resource that only gets loaded when used and are making other changes to do the same

oh sweet! great news.

@dylanb And just so i don’t look like a total jerk who’s badmouthing your project over here… :p … Here’s my bug report of this issue. And now from the duped issue I see your recent comment saying the same thing. nice stuff!

@paulirish in total contrast to a jerk, we thank you for all of the things you and your team have done to move axe-core forward - thanks and keep pushing us!!

Top Results From Across the Web

Content Security Policies - webpack

webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable...

How to fix 'because it violates the following content security ...

Refused to execute inline script because it violates means that inline Javascript was blocked. Inline javascript includes <script> tags and onevent handlers < ......

CSP: trusted-types - HTTP - MDN Web Docs

This directive declares an allowlist of trusted type policy names created with trustedTypes.createPolicy from Trusted Types API. Syntax. Content-Security-Policy ...

Prevent DOM-based cross-site scripting vulnerabilities with ...

Introducing Trusted Types: a browser API to prevent DOM-based cross-site scripting in modern web applications.

Violation of Content Security Policy directive - Stack Overflow

In my full-stack project (server-side rendered) I have my bundle.js file which I am ...