-
Type:
Bug
-
Status: Resolved
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 2.4.55
-
Component/s: Upload
-
Release Notes Summary:File upload works with stricter CSP.
-
Tags:
-
Backlog priority:550
-
Sprint:UI - 2021-13, UI - 2021-14, UI Cooldown - 2021-13, UI Cooldown - 2021-14
File upload actions (e.g. through the "Create" or "Import" tabs of nuxeo-document-create-button) successfully execute, but result in browser console errors when CSP with script-src directive lacking 'unsafe-inline' 'unsafe-eval' is used while including org.nuxeo.web.ui.expressions.eval set to false (as seen in WEBUI-60).
Error seen in console:
Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' data: connect.nuxeo.com apis.google.com app.box.com". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
CSP tested:
default-src 'self'; script-src 'self' data: connect.nuxeo.com apis.google.com app.box.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self'; font-src 'self' data: fonts.gstatic.com; media-src 'self'; frame-src 'self' www.nuxeo.com accounts.google.com; frame-ancestors 'self'
- is related to
-
-
- Open
-
- Is referenced in
