Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CSP: Storybook 6 uses unsafe-eval
See original GitHub issueDescription
A react component library I maintain for my company deploys a storybook to our internal Github Pages (enterprise). These have headers that set a Content Security Policy (CSP) that does not include unsafe-eval. These cannot be overwritten by <meta .../> tags as the headers have a stricter policy.
After upgrading Storybook 5.3.9 to 6.0.21, the storybook will not load any more:
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
Uncaught TypeError: __webpack_require__(...) is not a function
Expanded screenshot below.
The problem is reproduce-able locally with a minimal config, but the original issue is with a built version on a remote server.
To Reproduce
Setup minimal storybook react
mkdir test-sb && cd test-sbyarn inityarn add react react-domnpx sb init
Emulate CSP & run
echo "<meta http-equiv=\"Content-Security-Policy\" content=\"default-src 'self' ; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' *; media-src 'self' ; frame-src 'self';\" />" > .storybook/manager-head.htmlyarn storybook
Expected behavior
As previous versions, Storybook should avoid leveraging unsafe-eval
Screenshot
System
Local setup
OS: macOS 10.15.6
CPU: (12) x64 Intel(R) Core(TM) i9-8950HK CPU @ 2.90GHz
Binaries:
Node: 14.4.0 - ~/.nvm/versions/node/v14.4.0/bin/node
Yarn: 1.21.1 - ~/.yarn/bin/yarn
npm: 6.14.5 - ~/.nvm/versions/node/v14.4.0/bin/npm
Browsers:
Chrome: 85.0.4183.83
Safari: 13.1.2
npmPackages:
@storybook/addon-actions: ^6.0.21 => 6.0.21
@storybook/addon-essentials: ^6.0.21 => 6.0.21
@storybook/addon-links: ^6.0.21 => 6.0.21
@storybook/react: ^6.0.21 => 6.0.21 ```
Issue Analytics
- State:
- Created 3 years ago
- Reactions:44
- Comments:34 (12 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Problem summary
The
telejsonlibrary that serializes objects between the user’s “preview” UI and the surrounding “manager” UI usesevalto stringify & parse functions, which causes the CSP problem.Proposed sketch of a solution
Telejson already has an option
allowFunctionthat throws away functions instead of serializing them. This option is inspected instringify. It should also be inspected inparse.Furthermore, there should be a way to globally configure Storybook in
.storybook/main.js. Proposal:createChannelshould setallowFunctionglobally for the channel so that every request filters out functions.Thanks to all for looking into this! It’s been a couple months now, so I’ll go ahead and ask: Are there any updates on the situation?