Skip to content

Fix CSP header #456

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Fix CSP header #456

wants to merge 2 commits into from

Conversation

gskril
Copy link
Member

@gskril gskril commented Aug 9, 2025
edited
Loading

Cloudflare shows the following warning on every build since #424. GPT5 applied the fix in the PR

22:16:33.293	Found invalid header lines:

22:16:33.293	  - #1:  Content-Security-Policy: default-src 'self'; script-src 'self' https://docs.ens.domains https://*.docs-bao.pages.dev 'unsafe-inline'; style-src 'self' https://docs.ens.domains https://*.docs-bao.pages.dev https://fonts.googleapis.com 'unsafe-inline'; style-src-attr 'self' https://docs.ens.domains https://*.docs-bao.pages.dev 'unsafe-inline'; style-src-elem 'self' https://docs.ens.domains https://*.docs-bao.pages.dev 'unsafe-inline'; connect-src 'self' https://eth.merkle.io https://euc.li https://api.opensea.io https://ipfs.io https://docs.ens.domains; img-src 'self' data: blob: https://*.docs-bao.pages.dev https://euc.li https://api.opensea.io https://ipfs.io https://i.seadn.io; font-src 'self' https://*.docs-bao.pages.dev https://fonts.gstatic.com; object-src 'none';

22:16:33.293	    Path should come before header (content-security-policy: default-src 'self'; script-src 'self' https://docs.ens.domains https://*.docs-bao.pages.dev 'unsafe-inline'; style-src 'self' https://docs.ens.domains https://*.docs-bao.pages.dev https://fonts.googleapis.com 'unsafe-inline'; style-src-attr 'self' https://docs.ens.domains https://*.docs-bao.pages.dev 'unsafe-inline'; style-src-elem 'self' https://docs.ens.domains https://*.docs-bao.pages.dev 'unsafe-inline'; connect-src 'self' https://eth.merkle.io https://euc.li https://api.opensea.io https://ipfs.io https://docs.ens.domains; img-src 'self' data: blob: https://*.docs-bao.pages.dev https://euc.li https://api.opensea.io https://ipfs.io https://i.seadn.io; font-src 'self' https://*.docs-bao.pages.dev https://fonts.gstatic.com; object-src 'none';)

This PR leaves the following console error in the preview build:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://docs.ens.domains https://*.docs-bao.pages.dev 'unsafe-inline'".

It appears that Vocs doesn't like the restriction... leaving as draft for now, not an urgent fix unless you feel differently @talentlessguy

@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

Deploying ens-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: bec829a
Status: ✅  Deploy successful!
Preview URL: https://06810b2a.docs-bao.pages.dev
Branch Preview URL: https://fix-csp.docs-bao.pages.dev

View logs

CasPerUD

This comment was marked as spam.

Sign in to view

@talentlessguy
Copy link
Contributor

talentlessguy commented Aug 16, 2025
edited
Loading

What wallet are you using @gskril? it might inject <script> on a page

EvalError means something is trying to call eval(...), which is unsafe

@gskril
Copy link
Member Author

gskril commented Aug 20, 2025
edited
Loading

I'm getting the same error in incognito and other browsers without extensions. Do you not see it on https://fix-csp.docs-bao.pages.dev/ ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@CasPerUD CasPerUD CasPerUD left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gskril @talentlessguy @CasPerUD