dequelabs / axe-webdriverjs

Provides a chainable axe API for Selenium's WebDriverJS and automatically injects into all frames.
Mozilla Public License 2.0
130 stars 46 forks source link

Content Security Policy issue in Chrome and Firefox #35

Closed VivaGrendel closed 7 years ago

VivaGrendel commented 7 years ago

Hello I'm trying to make example below (taken from the project's README) work on my local machine but it does not produce any result:

var AxeBuilder = require('axe-webdriverjs');
var WebDriver = require('selenium-webdriver');

var driver = new WebDriver.Builder()
  .forBrowser('firefox')
  .build();

driver
  .get('https://github.com/dequelabs/axe-webdriverjs')
  .then(function () {
    AxeBuilder(driver)
      .analyze(function (results) {
        console.log(results);
      });
  });

The browser is started and it navigates to the page but then, nothing. Investigation in the web console of the started browser (Chrome) shows:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src assets-cdn.github.com". Either the 'unsafe-inline' keyword, a hash ('sha256-XLagEkykG1v43U0BgF8iu7TAQJNjcpwT1QLNqImVlPk='), or a nonce ('nonce-...') is required to enable inline execution.

From what I understand, you try to inject the axe js code directly inside a script tag. This does not comply with default security policies of modern browsers.

I could not find proper or clean ways to disable CSP in the browsers I need to test.

Am I missing something or is there any workaround?

VivaGrendel commented 7 years ago

I've just read issue #33. So the CSP issue is a known one. Does it mean axe-webdriverjs does not work (yet?) on CSP enabled web sites?

Reading Chrome documentation it seems the browser is now blocking inline scripts and the only way to "relax" this is to whitelist the script in the CSP header

See https://developer.chrome.com/extensions/contentSecurityPolicy#relaxing-inline-script

dylanb commented 7 years ago

We are working on a fix for this. Closing due to duplicate.