Content-Security-Policy-Report-Only Should Not Break Dashboard

[davidkassa]

Hi,

I recently enabled CSP with Report-Only flag on my site which blocked the User Dashboard. The point of Report-Only is that it should not change anything. While it was helpful to see the violations, this can be found in the console.

https://supertokens.com/docs/thirdpartyemailpassword/pre-built-ui/setup/user-management-dashboard/setup#content-security-policy.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only

[rishabhpoddar]

Did adding the headers pointed out by the error solve the issue?

[davidkassa]

Yes, that was a simple work around but the expectation is that Report-Only won’t change site behavior. Ideally, you could list the requirements in the docs too. Here’s the list I found:    connect-src 'self';    default-src 'none';    script-src 'unsafe-eval';    style-src-attr 'unsafe-inline';    font-src         https://fonts.gstatic.com;    form-action 'none';     frame-ancestors 'none';     img-src        https://cdn.jsdelivr.net/gh/supertokens/;On May 27, 2024, at 12:17 AM, Rishabh Poddar @.***> wrote: Did adding the headers pointed out by the error solve the issue?

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>