-
-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lucky bug reporting conflicts with user Content-Security-Policy #1324
Comments
You're referring to the error page that shows up, right? Where you can expand the error details and all that? We currently use https://github.com/crystal-loot/exception_page for that page. We may need to consider using a forked version depending on what the best solution is 🤔 |
Will file with @Sija, let's continue to track here. |
Filed as crystal-loot/exception_page#17 |
We still need a general mechanism to set the nonce in Lucky, not in every shard that Lucky uses that needs it. |
This is fixed already |
When Lucky reports an exception to the developer, it uses inline javascript. If the user has set a restrictive Content-Security-Policy, this is rejected. Solution: provide a way, per request, for the user to set a nonce, or for Lucky to generate a nonce for the user using Random::Secure.base64. Add the nonce to the
<script>
tag, as in<script nonce="...">
.In a separate issue I will discuss how to implement a content-security-policy facility in Lucky.
The text was updated successfully, but these errors were encountered: