CSP loading issue of JS resources in current devel docker container setup
Steps to reproduce
In a docker setup using https://dev.funkwhale.audio/funkwhale/funkwhale/-/blob/develop/deploy/docker.nginx.template with FUNKWHALE_VERSION=develop
, the front page fails to load JS files.
What happens?
JS files fail to load due to CSP errors:
The CSP errors indicate that eval
is being used to load the resources.
Indeed changing the CSP header at https://dev.funkwhale.audio/funkwhale/funkwhale/-/blob/develop/deploy/docker.nginx.template#L29 to include unsafe-eval
as script sources makes the loading work again.
What is expected?
Resources can be loaded. There are two options:
- Preferred:
unsafe-eval
is not needed, JS resources get loaded without eval being used - The
docker.nginx.template
gets changed to includeunsafe-eval
:add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
I really don't see why eval should be needed to load JS dependencies, and allowing unsafe-eval
might have some security implications.
Edited by Philipp Wolfer