selenium-ide
selenium-ide copied to clipboard
Published
20 hours ago •
SeleniumHQ
SeleniumHQ
tests require Content-Security-Policy unsafe-eval allowed
trafficstars
🐛 Bug Report
Trying to trigger a click (and maybe other events too) on a website that has some level of Content-Security-Policy restricting 'unsafe-eval', the test cannot be run due eval() called somewhere inside selenium-ide.
Why it requires eval()? Could this be solved by replacing code that does not require eval()?
<?php
header("Content-Security-Policy:default-src 'none'; script-src 'self' 'unsafe-inline'");
//header("Content-Security-Policy:default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'");
?>
<html>
<button id="mybutton">Click me</button>
</html>
To Reproduce
Error because Selenium called eval() somewhere that is not allowed by the website CSP.
Expected behavior
Test runs without error.
Project file
{
"id": "20abfcba-2009-4014-8ab4-bee83e21a16c",
"version": "2.0",
"name": "csptest",
"url": "http://10.0.0.3",
"tests": [{
"id": "a5ca51ca-2f96-49f7-91b6-336bb66ae272",
"name": "clicktest",
"commands": [{
"id": "5ada58e3-4d5d-47f3-8104-8aae63624e08",
"comment": "",
"command": "open",
"target": "/",
"targets": [],
"value": ""
}, {
"id": "cc1ced3e-da5e-4694-9800-b9491ece38e3",
"comment": "",
"command": "click",
"target": "id=mybutton",
"targets": [
["id=mybutton", "id"],
["css=#mybutton", "css:finder"],
["xpath=//button[@id='mybutton']", "xpath:attributes"],
["xpath=//button", "xpath:position"],
["xpath=//button[contains(.,'Click me')]", "xpath:innerText"]
],
"value": ""
}]
}],
"suites": [{
"id": "ddf355fa-29bf-4c88-80e5-d033467c741d",
"name": "Default Suite",
"persistSession": false,
"parallel": false,
"timeout": 300,
"tests": ["a5ca51ca-2f96-49f7-91b6-336bb66ae272"]
}],
"urls": ["http://10.0.0.3/"],
"plugins": []
}
Environment
OS: macOS (x64 and aarch64) Selenium IDE Version: 3.17.4 Browser: Firefox Browser Version: Firefox 115.16.1esr (64-bit), Firefox 131.0.3 (aarch64)
