search

salesforce / lwc

⚡️ LWC - A Blazing Fast, Enterprise-Grade Web Components Foundation
https://lwc.dev
Other
1.59k stars 386 forks source link

javascript:void causes CSP error in lightning-progress-step #2338

Open jove4015 opened 3 years ago

jove4015 commented 3 years ago

Description

Steps to Reproduce

https://webcomponents.dev/edit/iOI2o9ZhYfIQhL32Mzth


        <div class="progress-bar">
            <lightning-progress-indicator current-step="1" type="path" has-error="true" variant="base">
                <lightning-progress-step label="Select Items" value="1"></lightning-progress-step>
                <lightning-progress-step label="Make Adjustments" value="2"></lightning-progress-step>
                <lightning-progress-step label="Confirm Credit" value="3"></lightning-progress-step>
                <lightning-progress-step label="Done" value="4"></lightning-progress-step>
            </lightning-progress-indicator>  
        </div>

Expected Results

Should be able to click from step to step in progress indicator without CSP errors in console.

Actual Results

You get this error in the console, and none of the progress-step events fire:

Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-OdZeVsYPce120YkcJhVd5EoK5VP1rai6' chrome-extension: 'unsafe-inline' 'unsafe-eval' .canary.lwc.dev .visualforce.com https://ssl.gstatic.com/accessibility/". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

This does not happen on webcomponents.dev because the CSP is not the same as a Salesforce org. You have to do this in an actual Salesforce org to see the problem.

Browsers Affected

Chrome, Latest

Version

Unclear. This is in my pretty standard sandbox.

Possible Solution

If you look at the code generated, you will see this:

` <a aria-selected="true" href="javascript:void(0);" role="option" tabindex="0" class="slds-path__link"> ...

` Can we please remove the javascript:void(0) and replace with something valid under Salesforce's CSP?

Additional context/Screenshots

I believe a "#" would be sufficient.

uip-robot-zz commented 3 years ago

This issue has been linked to a new work item: W-9302694

uip-robot-zz commented 3 years ago

This issue has been linked to a new work item: W-9302695

puneetgaur1977 commented 3 years ago

Hi Team,

I am also facing a similar issue in code. Did anyone find the solution to resolve this issue?

Regards, Puneet Gaur

pmdartus commented 3 years ago

There is currently no update on this issue from the Lightning base component team.

ksunil07 commented 2 years ago

Hi Salesforce Team,

My Org is also seeing this issue. Please do provide an update on this.

Thanks, Sunil

gdevarapalli commented 2 years ago

same issue

tpiechota commented 2 years ago

Same here

kovdmm commented 1 year ago

Same here