Open rbclark opened 1 year ago
@rbclark I'm running into the same problem - did you ever figure out a solution?
I've been running with Bullet.skip_html_injection = true
in order to avoid this. Unfortunately that means no alerts in the browser but that was the best I could find.
Ok cool - thanks for the tip.
I think a reasonable fix would be to remove the && Rails.application.config.content_security_policy
check in the code - I don't see any downsides of inserting the Bullet::Rack middleware before ActionDispatch::ContentSecurityPolicy::Middleware
Here's an alternative, add this to your config/environments/development.rb
:
MyApp::Application.configure do
...
config.content_security_policy { }
...
end
That will initialize an empty policy prior to bullet init which makes Rails.application.config.content_security_policy
truthy. It still configs your real CSP afterwards so it seems to be safe.
I'm wondering if @baueric's solution ☝️ is still the recommended workaround.
I currently have a content security policy setup in my application, however it is not detected by bullet (I am running v7.0.7 of bullet). In order to investigate I went ahead and put a breakpoint in the bullet loader and discovered the following:
based on this it looks like bullet is loading too early and is ill positioned to actually detect whether the CSP middleware is loaded. In order to try to fix I tried moving the bullet initializer before and after the CSP loader but to no avail.
If I modify the bullet code to always call
app.middleware.insert_before ActionDispatch::ContentSecurityPolicy::Middleware, Bullet::Rack
then everything works properly, which confirms the issue is the loader not being able to detect the CSP.