CSP violation: Blocked 'script' from 'eval:'

[sentry-io[bot]]

Sentry Issue: BIGCASES2-1G

{"csp-report":{"effective_directive":"script-src","blocked_uri":"eval","document_uri":"https://bots.law/","original_policy":"connect-src 'self' https://plausible.io/; script-src 'self' storage.bots.law https://plausible.io/ https://hcaptcha.com/; default-src 'self' storage.bots.law https://newassets.hcaptcha.com/; report-uri https://o399720.ingest.sentry.io/api/4504573893738496/security/?sentry_key=55e2a29e6b964e768eeebf0a368af7cd","referrer":"","status_code":200,"violated_directive":"script-src","line_number":3,"column_number":155,"script_sample":"","disposition":"enforce"}}

Blocked 'script' from 'eval:'

[mlissner]

Another CSP violation...eval on the homepage, I think?

Is this going to be better for @cweider or @ERosendo to hunt down? How far do you want to take this part of things, Chad?

[cweider]

There’s a good chance that it is from <a href="javascript:void(0)" that I see in case-form.html (though I’d expect that error to have a https://bots.law/add-cases/ URI). I see no easy way to get a channel list for my account, so @ERosendo – you’d be the best to take it.

Another potential is htmx, which has fallen a little bit in my estimation, seeing that it allows unrestricted evaluation of Javascript through its attributes (recreating problems of onClick). It has a configuration, allowEval, that disables it, but it’s not much of a fix – it just means that an exception is thrown earlier and does not create a security report. At a glance, I don’t see any uses that would trigger it. Nonetheless, it’d be a good place to look.

[mlissner]

The htmx docs say:

allowEval:true - boolean: allows the use of eval-like functionality in htmx, to enable hx-vars, trigger conditions & script tag evaluation. Can be set to false for CSP compatibility

Assuming we don't need it, maybe we set that to false and see if it fixes it?

it just means that an exception is thrown earlier and does not create a security report

I guess you're referring to maybeeval?

That seems kind of oK? What were you hoping it'd do?

[cweider]

Assuming we don't need it, maybe we set that to false and see if it fixes it?

If we have functionality that that relies on htmx’s use of eval, chances are that it will be broken regardless of the setting; allowEval: false is, largely, a cosmetic change. And so, before disallowing eval, it would be good to exercise bots.law’s htmx usage and try to find the issue (if any) first.

That seems kind of oK? What were you hoping it'd do?

Oh, I was thinking that rather than eval they’d not have the functionality at all (!), or a sandboxed scripting environment – a long time ago, for similar behavior, I had to create a regular subset of Javascript that could be used on element attributes and interpreted without causing security disasters.

[cweider]

@ERosendo – Worth mentioning that it is possible, even likely, that bots.law isn’t causing this! it could be a rogue plugin.