[Bug] CSP error when subscribing - inline-script as data

[shikasta-net]

Sorry if this is a duplicate; I tried searching for subscription and CSP related issues.

Running docker build 2023.12.06-9e8baa3 Same behaviour on Firefox 120.0.1 / Edge 120.0.2210.77

Steps to reproduce

1. Open Developer console
2. To any channel
3. Click (un)subscribe
4. Console says Content-Security-Policy: The page's settings blocked the loading of a resource at inline ("script-src").

My guess is it's the subscribe_data script in subscribe_widget.ecr which isn't allowed according to the application response headers. There's another for notification_data which may cause issues too.

Does it either need to permit inline scripts, or have a different means for setting data? Obviously it can be worked around using a proxy rewrite, but seems like it should be fixed in the application instead. I can submit a fix, I just need to know if inline data scripts or no inline scripts are the intended pattern.

Thanks

[SamantazFox]

The inline JSON snippets are used to easily pass metadata between the server and client code without needing an extra request. As far as I know, the CSP directive has never been a problem; The client side JS can still load that data.

Do correct me if I'm wrong, though.

[shikasta-net]

As a mechanism for serving up the data, it's a good one. I'm just not sure what else it could be.
The error indicates the page as the source of the problem, not a particular script:line. When I get a moment I'll try building a custom image with a 'report-sample' token into the script-src to see what else I can get.