search

SeleniumHQ / selenium-ide

Open Source record and playback test automation for the web.
https://selenium.dev/selenium-ide/
Apache License 2.0
2.81k stars 765 forks source link

tests require Content-Security-Policy unsafe-eval allowed #1870

Open peterdd opened 2 days ago

peterdd commented 2 days ago

šŸ› Bug Report

Trying to trigger a click (and maybe other events too) on a website that has some level of Content-Security-Policy restricting 'unsafe-eval', the test cannot be run due eval() called somewhere inside selenium-ide.

Why it requires eval()? Could this be solved by replacing code that does not require eval()?

<?php
header("Content-Security-Policy:default-src 'none'; script-src 'self' 'unsafe-inline'");
//header("Content-Security-Policy:default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'");
?>
<html>
<button id="mybutton">Click me</button>
</html>

To Reproduce

Error because Selenium called eval() somewhere that is not allowed by the website CSP.

csptest

Expected behavior

Test runs without error.

Project file

{
  "id": "20abfcba-2009-4014-8ab4-bee83e21a16c",
  "version": "2.0",
  "name": "csptest",
  "url": "http://10.0.0.3",
  "tests": [{
    "id": "a5ca51ca-2f96-49f7-91b6-336bb66ae272",
    "name": "clicktest",
    "commands": [{
      "id": "5ada58e3-4d5d-47f3-8104-8aae63624e08",
      "comment": "",
      "command": "open",
      "target": "/",
      "targets": [],
      "value": ""
    }, {
      "id": "cc1ced3e-da5e-4694-9800-b9491ece38e3",
      "comment": "",
      "command": "click",
      "target": "id=mybutton",
      "targets": [
        ["id=mybutton", "id"],
        ["css=#mybutton", "css:finder"],
        ["xpath=//button[@id='mybutton']", "xpath:attributes"],
        ["xpath=//button", "xpath:position"],
        ["xpath=//button[contains(.,'Click me')]", "xpath:innerText"]
      ],
      "value": ""
    }]
  }],
  "suites": [{
    "id": "ddf355fa-29bf-4c88-80e5-d033467c741d",
    "name": "Default Suite",
    "persistSession": false,
    "parallel": false,
    "timeout": 300,
    "tests": ["a5ca51ca-2f96-49f7-91b6-336bb66ae272"]
  }],
  "urls": ["http://10.0.0.3/"],
  "plugins": []
}

Environment

OS: macOS (x64 and aarch64) Selenium IDE Version: 3.17.4 Browser: Firefox Browser Version: Firefox 115.16.1esr (64-bit), Firefox 131.0.3 (aarch64)

0xC4N1 commented 16 hours ago

This is due to browser extension limitations. As of now you can work around it by using Selenium IDE v4 or side-runner to execute your recorded tests on websites with content security policy limitations.