Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blocked 'script' from 'eval:' #2611

Closed
bhollis opened this issue Jan 31, 2018 · 5 comments
Closed

Blocked 'script' from 'eval:' #2611

bhollis opened this issue Jan 31, 2018 · 5 comments
Labels
Bug

Comments

@bhollis
Copy link
Contributor

bhollis commented Jan 31, 2018

I'm not sure what this is - it seems to happen on Chrome for Android specifically, and it's firing despite us having "unsafe-eval" in our CSP (we shouldn't, but zip.js needed it). It happens a fair bit though.

It could be related to facebook/regenerator#336 since I bet we're including regenerator-runtime.

https://sentry.io/share/issue/85b714e24806417aa539fa42d63867b7/
https://sentry.io/destiny-item-manager/dim/issues/443976150/

{"csp-report":{"line_number":28,"blocked_uri":"eval","status_code":0,"violated_directive":"script-src","document_uri":"https://beta.destinyitemmanager.com/index.html?utm_source=homescreen","original_policy":"default-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' 'report-sample' https://apis.google.com https://www.google-analytics.com data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/css; connect-src 'self' https://*.destinyitemmanager.com https://www.google-analytics.com https://www.bungie.net https://reviews-api.destinytracker.net https://db-api.destinytracker.com https://sentry.io/api/279673/store/; img-src 'self' https://*.destinyitemmanager.com https://www.bungie.net https://ssl.google-analytics.com https://www.google-analytics.com https://csi.gstatic.com https://opencollective.com data:; font-src 'self' https://fonts.gstatic.com; child-src 'self' https://accounts.google.com https://content.googleapis.com; frame-src  https://accounts.google.com https://content.googleapis.com; object-src 'self'; manifest-src 'self'; report-uri https://sentry.io/api/279673/csp-report/?sentry_key=1367619d45da481b8148dd345c1a1330","source_file":"https://beta.destinyitemmanager.com/sql-wasm-0edda1.js","disposition":"enforce","column_number":83,"effective_directive":"script-src"}}

Blocked 'script' from 'eval:'
@bhollis bhollis added the Bug label Jan 31, 2018
@bhollis
Copy link
Contributor Author

bhollis commented Jan 31, 2018

It seems to have something to do with the sql-wasm script? But I don't see anything eval-y in there, besides the wasm itself.

@bhollis
Copy link
Contributor Author

bhollis commented Jan 31, 2018
edited
Loading

Unless it's blocking the creation of the script tag?

      const head = document.getElementsByTagName('head')[0];
      const script = document.createElement('script');
      script.type = 'text/javascript';
      script.src = sqlWasmPath;
      script.async = true;
      head.appendChild(script);

I doubt it...

@bhollis
Copy link
Contributor Author

bhollis commented Feb 5, 2018

@SunburnedGoose @kyleshay any idea where to even go to figure this out? It's our biggest issue by far but I have no idea what's causing it or what the effect is. Can somebody with an Android try it out?

@bhollis
Copy link
Contributor Author

bhollis commented Feb 5, 2018

Actually it's just Chrome in general

@bhollis
Copy link
Contributor Author

bhollis commented Mar 5, 2018

No idea. Just ignored the error.

@bhollis bhollis closed this as completed Mar 5, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bhollis