-
Notifications
You must be signed in to change notification settings - Fork 645
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Horizon Dashboard does not work with strict content security policy #1018
Comments
Hmm, I can't find that. Can you point out where exactly?
It falls back to the default sans-serif font so this isn't that much of an issue I think. I don't think we're going to take action here since nothing really is broken. Sorry |
This has been reported before (should have added that, I'm sorry) see #576 Vue seems to use I would say that this is unwanted and should be considered a bug, as setting a strict CSP seems to be more and more common, but that's just my perspective. In our production environment the CSP headers are set by the webserver, and I'm not in a position to change them for horizon. |
If you can send in a non-breaking pr we could consider it maybe. |
I'll try freeing up some time in the coming week to take a stab at it. Would you consider reopening this so someone with experience with Vue might try to fix this? |
No sorry. Just send in a pr if you're willing. |
Description:
Apparently the Horizon dashboard uses
eval
, which makes it unusable for us in production. I'm not in a position to disable the CSP for security reasons. And I'm not familiar with Vue, so I'm not sure how to solve this.Apart from this it also loads an external font from google fonts which is blocked, but I don't think this breaks functionality. Making
layout.blade.php
publishable and editable would enable us to fix/work around this.Steps To Reproduce:
Set a CSP which excludes the use of
unsafe-eval
and external style sources, observe the dashboard not loading and producing errors in the javascript console:Content Security Policy: The page’s settings blocked the loading of a resource at https://fonts.googleapis.com/css?family=Nunito (“style-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).
The text was updated successfully, but these errors were encountered: