lwc icon indicating copy to clipboard operation
lwc copied to clipboard

Published 20 hours ago verified publisher icon salesforce

javascript:void causes CSP error in lightning-progress-step

Open jove4015 opened this issue 3 years ago • 7 comments

Description

Steps to Reproduce

https://webcomponents.dev/edit/iOI2o9ZhYfIQhL32Mzth


        <div class="progress-bar">
            <lightning-progress-indicator current-step="1" type="path" has-error="true" variant="base">
                <lightning-progress-step label="Select Items" value="1"></lightning-progress-step>
                <lightning-progress-step label="Make Adjustments" value="2"></lightning-progress-step>
                <lightning-progress-step label="Confirm Credit" value="3"></lightning-progress-step>
                <lightning-progress-step label="Done" value="4"></lightning-progress-step>
            </lightning-progress-indicator>  
        </div>

Expected Results

Should be able to click from step to step in progress indicator without CSP errors in console.

Actual Results

You get this error in the console, and none of the progress-step events fire:

Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-OdZeVsYPce120YkcJhVd5EoK5VP1rai6' chrome-extension: 'unsafe-inline' 'unsafe-eval' *.canary.lwc.dev *.visualforce.com https://ssl.gstatic.com/accessibility/". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

This does not happen on webcomponents.dev because the CSP is not the same as a Salesforce org. You have to do this in an actual Salesforce org to see the problem.

Browsers Affected

Chrome, Latest

Version

  • LWC: x.x.x

Unclear. This is in my pretty standard sandbox.

Possible Solution

If you look at the code generated, you will see this:

` <a aria-selected="true" href="javascript:void(0);" role="option" tabindex="0" class="slds-path__link"> ...

` Can we please remove the javascript:void(0) and replace with something valid under Salesforce's CSP?

Additional context/Screenshots

I believe a "#" would be sufficient.

jove4015 avatar May 20 '21 21:05 jove4015

This issue has been linked to a new work item: W-9302694

uip-robot-zz avatar May 21 '21 13:05 uip-robot-zz

This issue has been linked to a new work item: W-9302695

uip-robot-zz avatar May 21 '21 13:05 uip-robot-zz

Hi Team,

I am also facing a similar issue in code. Did anyone find the solution to resolve this issue?

Regards, Puneet Gaur

puneetgaur1977 avatar Jun 16 '21 18:06 puneetgaur1977

There is currently no update on this issue from the Lightning base component team.

pmdartus avatar Jun 17 '21 07:06 pmdartus

Hi Salesforce Team,

My Org is also seeing this issue. Please do provide an update on this.

Thanks, Sunil

ksunil07 avatar Oct 12 '21 11:10 ksunil07

same issue

gdevarapalli avatar Nov 02 '21 18:11 gdevarapalli

Same here

tpiechota avatar Nov 05 '21 16:11 tpiechota

Same here

kovdmm avatar Nov 09 '22 16:11 kovdmm