search

MetaMask / metamask-extension

:globe_with_meridians: :electric_plug: The MetaMask browser extension enables browsing Ethereum blockchain enabled websites
https://metamask.io
Other
12.02k stars 4.91k forks source link

[Bug]: CSP issue related to Javascript #25354

Open NicolasFeat opened 4 months ago

NicolasFeat commented 4 months ago

Describe the bug

The extension on Chrome produces the following error: "Security Policy of your site blocks the use of 'eval' in JavaScript`". When deactivated and the browser rebooted, the error goes away. When activated, the error appears again.

Expected behavior

No error in inspect mode

Screenshots/Recordings

No response

Steps to reproduce

  1. Open any page in Chrome
  2. Open inspect mode

Error messages or log output

The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unathorized code on your site.
To solve this issue, avoid using eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) for evaluating strings.
If you absolutely must: you can enable string evaluation by adding unsafe-eval as an allowed source in a script-src directive.
Allowing string evaluation comes at the risk of inline script injection.
1 directive
Source location Directive   Status
script-src  blocked

Version

11.16.10

Build type

None

Browser

Chrome

Operating system

Windows

Hardware wallet

No response

Additional context

No response

Severity

gauthierpetetin commented 4 months ago

Hi @NicolasFeat , thanks for reporting this issue. We're not able to reproduce, can you please send us a recording?

NicolasFeat commented 3 months ago

Hi @gauthierpetetin of course, here is a screenshot.

Screenshot
gauthierpetetin commented 3 months ago

Hi @NicolasFeat , thanks for this screenshot. Can you please also send us a recording showing steps to reproduce?

seniorjoinu commented 3 months ago

Hi @NicolasFeat , thanks for this screenshot. Can you please also send us a recording showing steps to reproduce?

Having the same issue on both Windows and Ubuntu. This message is shown right after a website, that is trying to connect to Metamask, is loaded.

This started recently, maybe after some recent chrome update. Updating chrome to the latest version does not help.

Also, I can't see anything not working properly when this error appears. Everything seems to function as usual. CSP settings of our own website allow unsafe-eval and we are still getting this message for some reason.

This seems related.

github-actions[bot] commented 1 week ago

This issue has been automatically marked as stale because it has not had recent activity in the last 90 days. It will be closed in 45 days if there is no further activity. The MetaMask team intends on reviewing this issue before close, and removing the stale label if it is still a bug. We welcome new comments on this issue. We do not intend on closing issues if they report bugs that are still reproducible. Thank you for your contributions.