CSP loading issue of JS resources in current devel docker container setup
Steps to reproduce
In a docker setup using https://dev.funkwhale.audio/funkwhale/funkwhale/-/blob/develop/deploy/docker.nginx.template with
FUNKWHALE_VERSION=develop, the front page fails to load JS files.
JS files fail to load due to CSP errors:
The CSP errors indicate that
eval is being used to load the resources.
Indeed changing the CSP header at https://dev.funkwhale.audio/funkwhale/funkwhale/-/blob/develop/deploy/docker.nginx.template#L29 to include
unsafe-eval as script sources makes the loading work again.
What is expected?
Resources can be loaded. There are two options:
unsafe-evalis not needed, JS resources get loaded without eval being used
docker.nginx.templategets changed to include
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
I really don't see why eval should be needed to load JS dependencies, and allowing
unsafe-eval might have some security implications.