-
Notifications
You must be signed in to change notification settings - Fork 645
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Horizon doesn't work when using content security policy headers #576
Comments
I'm not really sure if it's necessary to support this tbh. This is just the way it works now and I don't know too much of view myself to know if this would at all be possible. |
Horizon is meant to be accessible only by app developers, we don’t really consider it to be accessible to the public and thus these extra checks weren’t in mind while working on it. You need to ignore horizon routes as shared in your example. |
@driesvints a fix would be to move the contents inside the horizon div to a Vue component i.e App, much like Horizon did in version 1.0+. What @themsaid makes sense though. We have access controlled by a staff permission so its only accessible by developers. I opened this in case this wasn't meant to be an issue. |
Yeah, the horizon dashboard should only be accessible by your dev team. |
I'm having the same issue using nginx secure headers:
They are recommend by https://nginxconfig.io/ Any solutions? Thanks. Edit: it seems this is only in Firefox. |
As this page is ranked highly in Google there is a workaround for this if using the excellent https://github.com/spatie/laravel-csp. In the if (request()->segment(index: 1) === config(key: 'horizon.path')) {
return false;
} |
Description:
Horizon doesn't work when using content security policy headers. Because of the changes to the view files between versions 1 and 3. i.e going from an empty app:
to a div with html elements and a Vue component inside it,
This causes Vue to use
eval
which is unsafe and not allow by CSP.Steps To Reproduce:
app.php
:The only workaround I'be found for now is by replacing the line:
with:
But I'm not sure if this is ideal.
The text was updated successfully, but these errors were encountered: