search

hans-lizihan / bull-master

Nice UI for bull and bullmq
MIT License
153 stars 12 forks source link

bull-master breaks with strict Content Security Policy headers #304

Open jcarrillo7 opened 3 years ago

jcarrillo7 commented 3 years ago

Using CSP headers which disallow unsafe inline scripts breaks bull master. From a quick look it looks like it is mainly due to how basePath is passed to the client.

The generated HTML ends up with:

<script>
      window.basePath = '.....'
</script>

Which breaks CSP (using helmet can be used to expose this). One alternative would be to provide a way to pass the per-request nonce to bull-master (or pick it up from res.locals if set there). Or just completely avoid this mechanism for passing the basePath to the client.

hans-lizihan commented 3 years ago

@jcarrillo7 thanks for the feedback, I could do a refactor to move basePath to session