search

wallabyjs / console-ninja

Repository for Console Ninja questions and issues
https://console-ninja.com
Other
385 stars 22 forks source link

[Bug]: Won't load with Sveltekit CSP enabled #319

Closed selfagency closed 4 months ago

selfagency commented 4 months ago

What happened?

After enabling the content security policy script-src directive in my SvelteKit application, Console Ninja was no longer able to load because it inserts itself as an inline script without a nonce or a hash, either of which is required.

Version

v1.0.330

CLI command to start your dev tool

pnpm run dev

Steps to reproduce (or sample repo)

import adapter from '@sveltejs/adapter-node';
import { vitePreprocess } from '@sveltejs/vite-plugin-svelte';
import postcssConfig from 'postcss-load-config';

/** @type {import('@sveltejs/kit').Config} */
const config = {
  preprocess: [
    vitePreprocess({
      postcss: true,
      postcssConfig,
    }),
  ],

  kit: {
    adapter: adapter({ precompress: false }),
    csp: {
      directives: {
        'script-src': ['self', 'unsafe-eval', 'https://unpkg.com'],
      },
    },
    csrf: {
      checkOrigin: false,
    },
  },
};

export default config;

Log output

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' https://unpkg.com 'nonce-+TFg3eAOqrpM/uB1/Jxlew=='". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
smcenlly commented 4 months ago

Console Ninja needs to establish a connection back to localhost on your computer. You will need to disable CSP for your development environment only (not for your production system) while using Console Ninja from within VS Code.