There seems to be a call being made to Function() which is being blocked. After inspecting the issue, it turns out the ajv.compile uses Function() to inspect schemas at runtime. See source .
That being said, to fix this issue, we need to update the script-src to include unsafe-eval. Hopefully this fixes it.
Running the CSP headers introduced in https://github.com/taskcluster/taskcluster-tools/pull/563 seemed to work in production, however I had to rollback after seeing the group inspector not loading.
There seems to be a call being made to
Function()which is being blocked. After inspecting the issue, it turns out theajv.compileusesFunction()to inspect schemas at runtime. See source .That being said, to fix this issue, we need to update the
script-srcto includeunsafe-eval. Hopefully this fixes it.