docs icon indicating copy to clipboard operation
docs copied to clipboard
verified publisher icon ensdomains

Fix CSP header

Open gskril opened this issue 5 months ago • 3 comments

Cloudflare shows the following warning on every build since #424. GPT5 applied the fix in the PR

22:16:33.293	Found invalid header lines:

22:16:33.293	  - #1:  Content-Security-Policy: default-src 'self'; script-src 'self' https://docs.ens.domains https://*.docs-bao.pages.dev 'unsafe-inline'; style-src 'self' https://docs.ens.domains https://*.docs-bao.pages.dev https://fonts.googleapis.com 'unsafe-inline'; style-src-attr 'self' https://docs.ens.domains https://*.docs-bao.pages.dev 'unsafe-inline'; style-src-elem 'self' https://docs.ens.domains https://*.docs-bao.pages.dev 'unsafe-inline'; connect-src 'self' https://eth.merkle.io https://euc.li https://api.opensea.io https://ipfs.io https://docs.ens.domains; img-src 'self' data: blob: https://*.docs-bao.pages.dev https://euc.li https://api.opensea.io https://ipfs.io https://i.seadn.io; font-src 'self' https://*.docs-bao.pages.dev https://fonts.gstatic.com; object-src 'none';

22:16:33.293	    Path should come before header (content-security-policy: default-src 'self'; script-src 'self' https://docs.ens.domains https://*.docs-bao.pages.dev 'unsafe-inline'; style-src 'self' https://docs.ens.domains https://*.docs-bao.pages.dev https://fonts.googleapis.com 'unsafe-inline'; style-src-attr 'self' https://docs.ens.domains https://*.docs-bao.pages.dev 'unsafe-inline'; style-src-elem 'self' https://docs.ens.domains https://*.docs-bao.pages.dev 'unsafe-inline'; connect-src 'self' https://eth.merkle.io https://euc.li https://api.opensea.io https://ipfs.io https://docs.ens.domains; img-src 'self' data: blob: https://*.docs-bao.pages.dev https://euc.li https://api.opensea.io https://ipfs.io https://i.seadn.io; font-src 'self' https://*.docs-bao.pages.dev https://fonts.gstatic.com; object-src 'none';)

This PR leaves the following console error in the preview build:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://docs.ens.domains https://*.docs-bao.pages.dev 'unsafe-inline'".

It appears that Vocs doesn't like the restriction... leaving as draft for now, not an urgent fix unless you feel differently @talentlessguy

gskril avatar Aug 09 '25 03:08 gskril

Deploying ens-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: bec829a
Status: ✅  Deploy successful!
Preview URL: https://06810b2a.docs-bao.pages.dev
Branch Preview URL: https://fix-csp.docs-bao.pages.dev

View logs

cloudflare-workers-and-pages[bot] avatar Aug 09 '25 03:08 cloudflare-workers-and-pages[bot]

What wallet are you using @gskril? it might inject <script> on a page

EvalError means something is trying to call eval(...), which is unsafe

v1rtl avatar Aug 16 '25 07:08 v1rtl

I'm getting the same error in incognito and other browsers without extensions. Do you not see it on https://fix-csp.docs-bao.pages.dev/ ?

gskril avatar Aug 20 '25 03:08 gskril