search

mojolicious / minion

:octopus: Perl high performance job queue
https://metacpan.org/release/Minion
Artistic License 2.0
221 stars 55 forks source link

Support Content Security Policies #89

Closed ChristophB closed 3 years ago

ChristophB commented 4 years ago

Steps to reproduce the behavior

Set a Content-Security-Policy header like script-src 'self';.

Expected behavior

Minion JS scripts should be executed by the browser.

Actual behavior

The browser refuses to execute inline scripts in minion/dashboard.html.ep and layouts/minion.html.ep.

Feature Request

kraih commented 4 years ago

I'm not seeing any problems with Chrome, Firefox, Safari and Edge. Which browser are you referring to?

ChristophB commented 4 years ago

It happens to me in Chrome, Edge and Opera.

I get the following errors in the browser console:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-<nonce-token>' 'unsafe-eval'".
Either the 'unsafe-inline' keyword, a hash ('sha256-eTNeYPL/SYISrqGh2NIwa4AvEW6t7UxO3jPechjijFE='), or a nonce ('nonce-...') is required to enable inline execution.

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-<nonce-token>' 'unsafe-eval'".
Either the 'unsafe-inline' keyword, a hash ('sha256-Chlzz1cxGvHFIiw/mqDWMg9L5HqwdegP+fJTsLTibhc='), or a nonce ('nonce-...') is required to enable inline execution.

Both errors refer to the following Githubissues.

  • Githubissues is a development platform for aggregating issues.