Closed jcorporation closed 5 years ago
myMPD shoud not need 'unsafe-inline' or 'unsafe-eval'. There is no inline JavaScript and also 'eval' is not used. I also use firefox and I see now error from content-security-policy. Is it eventueally a plugin, that causes that issue?
I know it's not a ff plugin issue as the error shows with plugins disabled. from the console debug page in ff:
<script src="js/i18n.min.js"></script>
<script src="js/keymap.min.js"></script>
<script src="js/bootstrap-native-v4.min.js"></script>
<script src="js/mympd.min.js"></script>
CSP issue is probably being caused by one of the above scripts not being accounted for. To start, I would do a test build adding unsafe-eval and unsafe-inline to script-src in web_server.c to see if the issue clears in firefox and go from there.
As for the queue control glyph, I just checked webconsole in 5.4.0 and I also have the same CSP errors, but the queue control glyph works fine in that version on firefox. That may or may not be related to the CSP, but I'm leaning towards not related at this point. I'm starting to think the CSP issue is just a minor annoyance that can be put on the back-burner at this point.
I'll rebuild the latest git commit on another machine in a bit just to make sure the glyph issue isn't just on my end.
The glyph issue is fixed, as mentioned in the other issue: https://github.com/jcorporation/myMPD/issues/131#issuecomment-504040869
What version of firefox do you use? I use 67.0.3 on linux with no CSP errors in the console.
67.0.3 (64-bit) on linux
Hm, exact the same version. Eventually a connection issue. Do you use ssl or not?
CSP issue is on my end on this machine. It's not occurring on another machine. This can be closed as it's user error on my part. Thanks. (glyph works fine now too.)
EDIT: It was a stray userscript throwing out the error which isn't even running on my intranet sites. Don't I feel dumb.
EDIT2: Actually it's tampermonkey addon itself and not even a running script.
I should note, the problem is in firefox. Chrome/chromium seem to work fine.
If that's the workaround in web_server.c lines 317-320 it's not accounting for inline or eval. You may need to add 'unsafe-inline' and 'unsafe-eval' to script-src, or add nounce/hashes (which would be better).
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
again, everything seems to be working properly in chromium but I'm almost certain the CSP is the problem in firefox.
EDIT: and the last build I installed was for standard linux install, not arch specific. I get the problem on both build types.
Originally posted by @CultofRobots in https://github.com/jcorporation/myMPD/issues/131#issuecomment-504048698