spotlight icon indicating copy to clipboard operation
spotlight copied to clipboard
verified publisher icon getsentry

Please document a minimal Content-Security-Policy required for using Spotlight

Open lol768 opened this issue 2 years ago • 2 comments

All of our applications use a strict CSP in both production and development, in line with security best practice.

At present:

Content-Security-Policy: The page's settings blocked the loading of a resource at http://localhost:8969/stream ("connect-src").

I assume it needs at least this connect-src whitelisted (is the port number deterministic?), because currently I just get Not connected to Sidecar

image

lol768 avatar Dec 10 '23 16:12 lol768

Answers: yes, port is always 8969 (but this can be configured)

connect-src was all it seemed to need in my set-up:

image

lol768 avatar Dec 10 '23 17:12 lol768

For simple future context:

Content-Security-Policy: connect-src http://localhost:8969/

Agree we should add this to the docs. Not entirely sure the most straight forward location off the top of my head.

dcramer avatar Dec 10 '23 17:12 dcramer

Closing as the embedded use case is now gone.

BYK avatar Sep 26 '25 20:09 BYK