Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check #1139 flag #1620

Open
krausest opened this issue Mar 5, 2024 · 6 comments
Open

Check #1139 flag #1620

krausest opened this issue Mar 5, 2024 · 6 comments

Comments

@krausest
Copy link
Owner

krausest commented Mar 5, 2024

The check if an implementation works with a content security policy hasn't been run regularly.

The following frameworks fail with CSP and currently haven't flag #1139 set with the following error "Refused to apply inline style because it violates the following Content Security Policy directive" (due to 'style-src-elem'). Can you please check if you can remove that inline styling?
In contrast to the other CSP violations in this case the page works fine, so it could be fixable (or maybe ignorable on my side?).

The following frameworks fail with CSP and currently haven't flag #1139 set with the following error "Refused to execute inline script".

  • dojo
  • goui
  • owl
  • qwik
  • quel
  • sprae

I'll perform some additional checks and then add the #1139 to package.json for those frameworks.
@antonmak1
Copy link
Contributor

antonmak1 commented Mar 6, 2024
edited
Loading

@krausest Hello! I will try to fix this issue as soon as possible. Tell me, please, until this is fixed, do I need to manually add such a line to package.json?
"issues": [ 1139 ]
This is important, because it is necessary to clearly determine that there are such errors in the framework (library). I know about CSP, but I didn’t know that it could be tested here. There is no information in the README file about this and about the npm run checkCSP function with a guide that has already been created, as I understand it. Maybe for issue #1139 add a small paragraph to the README? It would be very nice if the authors of new implementations knew about this, so as not to go deep into wikis or issues.

@antonmak1
Copy link
Contributor

This week I will then make a PR adding a line about this issue. I would have added earlier, I just didn’t know about it. Sorry. 😕

@krausest
Copy link
Owner Author

krausest commented Mar 6, 2024
edited
Loading

This week I will then make a PR adding a line about this issue. I would have added earlier, I just didn’t know about it. Sorry. 😕

No problem, I failed to check the CSP regularly. I added the flag for all frameworks where needed.
The check is now included in the npm run rebuild keyed/campleand npm run rebuild-ci keyed/cample or can be invoked with npm run checkCSP keyed/cample (where keyed/cample is of course the placeholder for the specific implementation).

@antonmak1
Copy link
Contributor

OK. Then, as I understand it, I will not load a separate pr with the addition of this flag for now. In general, in any case, the problem with CSP is clear. I will then make corrections on this topic to make the framework safer for users.

@krausest
Copy link
Owner Author

krausest commented Mar 6, 2024

Yes. If you have the corrections ready you can remove the 1139 flag in package.json in the PR.

@antonmak1
Copy link
Contributor

Okay

@Bobris Bobris mentioned this issue Mar 16, 2024
Merged
@dy dy mentioned this issue May 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@krausest @antonmak1