Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSP (Content Security Policy) blocking loading of unsafe-inline js #496

Open
Obsiye opened this issue Dec 11, 2020 · 4 comments
Open

CSP (Content Security Policy) blocking loading of unsafe-inline js #496

Obsiye opened this issue Dec 11, 2020 · 4 comments

Comments

@Obsiye
Copy link

Obsiye commented Dec 11, 2020

Hi, we have csp configured and this blocks this gem from showing a live repl on the error page. The csp blocks unsafe-inline javascirpt, which is good for our app. However, this gem then doesn't work on error pages.

it's empty on the right side of the page.

image

@RobinDaugherty
Copy link
Member

@Obsiye this should be fixed in 2.10.0.beta1 (more info in #497). Can you give that a try? Also, can you let me know if your project uses Turbolinks? (I need to test this release both with and without Turbolinks.)

@joelcahalan
Copy link

joelcahalan commented Dec 15, 2020

We don't use Turbolinks or have any CSP configured but when I get an better errors page it shows the message:

"Better Errors can't run Javascript here, possibly because you have a Content Security Policy along with Turbolinks. But you can open the interactive console in a new tab/window."

If I click the link for the interactive console it opens a page that is exactly the same as the first and without a console. I am using the master branch of better errors and chrome "Version 89.0.4350.4 (Official Build) dev (x86_64)". Frustrating to not be able to get a console like I am used to. Any help where to look for a solution?

edit: I realized that if I wait long enough the console will appear, but it seems to take several minutes and then it will freeze up a lot.

@RobinDaugherty
Copy link
Member

RobinDaugherty commented Dec 15, 2020

@joelcahalan sorry that you're running into problems with this. Keep in mind that this is a beta version. I suggest you upgrade to the latest release version (2.9.1) if you're not interested in troubleshooting this prerelease version. There's a discussion area for the beta release if you'd like to help me troubleshoot.

@Obsiye
Copy link
Author

Obsiye commented Jan 6, 2021

Hi @RobinDaugherty , thank you for your quick response. Also, really sorry for my late response. I've tried using 2.10.0.beta1 and before this release, the right side was blank and now there's more information about the error.

However, the link to the interactive console just opens up a tab with the same error page (duplicate). Also, the browser console still outputs CSP blocks > Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src")

I don't believe we use turbolinks. (Our Rails version is 6.1.0 and ruby version is 2.7.1)

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants
@RobinDaugherty @Obsiye @joelcahalan and others