CSP - Content Security Policy

[Artistan]

the button inclusion does not work for me due to CSP...

https://developer.chrome.com/apps/contentSecurityPolicy

[Artistan]

https://github.com/Artistan/harvest-scripts-integration/blob/master/harvest_git_integration.user.js

[adunkman]

It looks like the site that you’re attempting to integrate will uses a Content Security Policy. You’ll need to allow access to harvestapp.com in order to integrate — it’s not something that we can allow on our end.

[Artistan]

https://chrome.google.com/webstore/detail/content-security-policy-o/lhieoncdgamiiogcllfmboilhgoknmpi

[
    ["https://github\\.com", [
        ["img-src", "img-src https://*.harvestapp.com"],
        ["connect-src", "connect-src https://*.harvestapp.com"],
        ["child-src", "child-src https://*.harvestapp.com"],
        ["script-src", "script-src 'unsafe-eval'"]
    ]]
]

[Artistan]

What's up with just closing this with no feedback? @adunkman ? You "embeded" code does not support CSP restrictions.

[Artistan]

https://github.com/Artistan/harvest-scripts-integration/blob/master/harvest_git_integration.user.js

this works in gitlabs similar to the chrome plugin.

[adunkman]

I’m not sure what to tell you — our script requires access to our servers to function, and based on your screenshot above, a Content Security Policy is preventing the script from accessing our servers.

You’ll need to change the Content Security Policy to allow access, or the script won’t function. The Content Security Policy is set by the site that you’re integrating into — which unfortunately we at Harvest don’t have access to modify.

Our Chrome extension modifies Content Security Policies when appropriate, which is how it gets around the restrictions. If something works in GitLab but doesn’t work in other places, I’d expect the sites to have different Content Security Policies.

[Artistan]

Thank you for the reply.