BetterErrors / better_errors

Better error page for Rack apps
MIT License
6.88k stars 437 forks source link

CSP (Content Security Policy) blocking loading of unsafe-inline js #496

Open Obsiye opened 3 years ago

Obsiye commented 3 years ago

Hi, we have csp configured and this blocks this gem from showing a live repl on the error page. The csp blocks unsafe-inline javascirpt, which is good for our app. However, this gem then doesn't work on error pages.

it's empty on the right side of the page.

image

RobinDaugherty commented 3 years ago

@Obsiye this should be fixed in 2.10.0.beta1 (more info in #497). Can you give that a try? Also, can you let me know if your project uses Turbolinks? (I need to test this release both with and without Turbolinks.)

joelcahalan commented 3 years ago

We don't use Turbolinks or have any CSP configured but when I get an better errors page it shows the message:

"Better Errors can't run Javascript here, possibly because you have a Content Security Policy along with Turbolinks. But you can open the interactive console in a new tab/window."

If I click the link for the interactive console it opens a page that is exactly the same as the first and without a console. I am using the master branch of better errors and chrome "Version 89.0.4350.4 (Official Build) dev (x86_64)". Frustrating to not be able to get a console like I am used to. Any help where to look for a solution?

edit: I realized that if I wait long enough the console will appear, but it seems to take several minutes and then it will freeze up a lot.

RobinDaugherty commented 3 years ago

@joelcahalan sorry that you're running into problems with this. Keep in mind that this is a beta version. I suggest you upgrade to the latest release version (2.9.1) if you're not interested in troubleshooting this prerelease version. There's a discussion area for the beta release if you'd like to help me troubleshoot.

Obsiye commented 3 years ago

Hi @RobinDaugherty , thank you for your quick response. Also, really sorry for my late response. I've tried using 2.10.0.beta1 and before this release, the right side was blank and now there's more information about the error.

However, the link to the interactive console just opens up a tab with the same error page (duplicate). Also, the browser console still outputs CSP blocks > Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src")

I don't believe we use turbolinks. (Our Rails version is 6.1.0 and ruby version is 2.7.1)

image