cypress-axe icon indicating copy to clipboard operation
cypress-axe copied to clipboard
verified publisher icon component-driven

"cypress-axe": "^0.14.0" Blocked by Cors 'unsafe-eval'

Open gchales opened this issue 3 years ago • 2 comments

Packages:

        "cypress": "^9.7.0",
        "axe-core": "^4.4.2",
        "cypress-axe": "^0.14.0",

Error:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'

Code Triggering Error:

node_modules/cypress-axe/dist/index.js

exports.injectAxe = function () {
    var fileName = typeof (require === null || require === void 0 ? void 0 : require.resolve) === 'function'
        ? require.resolve('axe-core/axe.min.js')
        : 'node_modules/axe-core/axe.min.js';
    cy.readFile(fileName).then(function (source) {
        return cy.window({ log: false }).then(function (window) {

            window.eval(source);  // Triggers Cors error.

        });
    });
};

gchales avatar Jun 06 '22 16:06 gchales

Maybe there is a more secure way of loading axe script?

djejaquino avatar Jul 04 '22 20:07 djejaquino

Want to add that we are also running into this issue. However, by importing @axe-core/react in our base index.tsx file we are able to run the cy.checkA11y() command without manually doing cy.injectAxe() in the test files.

TMUND avatar Feb 16 '24 23:02 TMUND