search

mozilla / sumo

Project management board for SUMO and Community properties.
Mozilla Public License 2.0
12 stars 5 forks source link

[Wagtai] CSP violations #1817

Closed emilghittasv closed 4 days ago

emilghittasv commented 1 month ago

Steps to reproduce Steps to reproduce the behavior:

  1. Go to https://support.allizom.org/cms/

Expected behavior No CSP violations.

Actual behavior Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: “script-src 'self' https://*.mozilla.org https://*.webservices.mozgcp.net https://*.google-analytics.com https://*.googletagmanager.com https://pontoon.mozilla.org/ https://*.jsdelivr.net”

Desktop:

Additional context This issue is reproducible in stage only.

emilghittasv commented 4 weeks ago

Status Update: We have re-enabled Wagtail in stage in order to test the fix for the CSP violations.

Unfortunately we are still seeing CSP violations: Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: “script-src 'self' https://*.[mozilla.org](http://mozilla.org/) https://*.[webservices.mozgcp.net](http://webservices.mozgcp.net/) https://*.[google-analytics.com](http://google-analytics.com/) https://*.[googletagmanager.com](http://googletagmanager.com/) https://pontoon.mozilla.org/ https://*.[jsdelivr.net](http://jsdelivr.net/) 'unsafe-inline' 'nonce-DDNO07XZxGI+cnNSM/4LJQ=='”

and Uncaught TypeError: window.fileupload_opts is undefined which prevents document and image uploads.

emilghittasv commented 3 weeks ago

I can confirm that this issue is verified fixed in stage.

Moving this ticket inside the release column.