You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Cannot render the generated events without granting unsafe-eval to the content security policy, which is very concerning as it opens up room for cross site scripting attack.
Steps to reproduce
content security policy on CloudFront distribution to serve s3 static files build from event catalog have default-src https: wss: 'self'; style-src https: 'unsafe-inline'
If i changed content security policy to default-src https: wss: 'unsafe-eval'; style-src https: 'unsafe-inline' then everything is fine.
When drilling down to our generated event details page (from plugin generation from EB), getting this on client side
F12 console gave this
Expected behavior
the generated event page to be rendered with default-src https: wss: 'self'; style-src https: 'unsafe-inline'
Actual behavior
got client side exception as it's looking for unsafe-eval to be part of CSP
Your environment
EventCatalog version used: 1.2.5
Plugin generator against EB: ^0.0.12
Environment name and version (e.g. Edge for Business 123.0 and Chrome 123.0, Node.js 18.19.1):
Operating system and version (e.g. Ubuntu 22.04 LTS):
The text was updated successfully, but these errors were encountered:
Have you read the Contributing Guidelines on issues?
Description
Cannot render the generated events without granting unsafe-eval to the content security policy, which is very concerning as it opens up room for cross site scripting attack.
Steps to reproduce
content security policy on CloudFront distribution to serve s3 static files build from event catalog have
default-src https: wss: 'self'; style-src https: 'unsafe-inline'
If i changed content security policy to default-src https: wss: 'unsafe-eval'; style-src https: 'unsafe-inline' then everything is fine.
When drilling down to our generated event details page (from plugin generation from EB), getting this on client side
F12 console gave this
Expected behavior
the generated event page to be rendered with default-src https: wss: 'self'; style-src https: 'unsafe-inline'
Actual behavior
got client side exception as it's looking for unsafe-eval to be part of CSP
Your environment
The text was updated successfully, but these errors were encountered: