axe-cli hangs on websites with limited CSP

[marcysutton]

Related to https://github.com/dequelabs/axe-webdriverjs/issues/35, axe-cli hangs on websites that have a limited Content Security Policy (CSP). Because axe-cli injects a script to make sure you're on the same page (similar to how we used to do it in axe-webdriverjs), it can suffer from the same-origin policy depending on how that site is implemented.

How to reproduce:

1. Update package.json to pull axe-webdriverjs@1.1.0
2. Run axe-cli directly from this repository code on a site with limited CSP:

   node index.js https://github.com/dequelabs/axe-webdriverjs/

3. Observe axe-cli hang for the length of the script timeouts, or longer.

I commented out lines 32-43 to avoid the script tag creation and inject the script directly (that was our fix in axe-webdriverjs) but it threw this error:

WebDriverError: {"errorMessage":"Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"script-src assets-cdn.github.com\".\n","request":{"headers":{"Accept":"application/json; charset=utf-8","Connection":"close","Content-Length":"451487","Content-Type":"application/json;charset=UTF-8","Host":"localhost:4444"},"httpVersion":"1.1","method":"POST","post":"{\"script\":\"(function axeFunction(window) {}

I'll keep looking into it, but I wanted to document this while it was on the top of my head.

[dylanb]

Example site https://www.dunkman.me

[WilcoFiers]

I did some searching today (also because I'm working on a related problem with Attest devtools). It looks like the only way to get around this is to disable CSP in user preferences. There are no dedicated flags available in Chrome of Firefox to turn it off, nor does webdriver fix this for us. http://www.seleniumeasy.com/selenium-tutorials/firefox-profile-preferences-using-selenium-webdriver

Funny enough, when I was searching for solutions, this issue right here was just about the only thing I could find of someone trying to do this.

[dylanb]

@WilcoFiers I think we could get around this by switching to puppeteer

I asked @stephenmathieson to look into this as part of what he is going to be working on

[WilcoFiers]

I thought that only worked for Chrome, no?

[stephenmathieson]

I thought that only worked for Chrome, no?

Yes, Puppeteer is designed to work with Chrome. It could technically work with anything that implements the DevTools Protocol, but I don't know of a browser other than Chrome that does this.

I'll be spending some time thinking about this and experimenting with potential solutions to this issue over the next few days.

[stephenmathieson]

Has this been resolved?