CSP issues with issue collector implemetation

kyleberkland · February 14, 2024, 9:00pm

Hey ya team. Coming across an issue when implementing the issue collector in regard to CSP.
We include it within HTML like so:

<script type="text/javascript" src="https://xxxx.atlassian.net/xxxxx/com.atlassian.jira.collector.plugin.jira-issue-collector-plugin:issuecollector/com.atlassian.jira.collector.plugin.jira-issue-collector-plugin:issuecollector.js?locale=en-GB&collectorId=xxxx" nonce="{{ csp_nonce('script') }}"></script>

Which allows the script to run. But the inline styles within the script fail to be accepted by our CSP.
Error:

 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' ....

Is there a particular URL to add into style-src CSP? It complains about style-src-attr too which is not allowed in our CSP. I would’ve thought putting https://xxxx.atlassian.net in our style-src would solve the issue but still getting blocked. Any ideas?

jrichards · February 15, 2024, 12:17am

Hi @kyleberkland,

Thanks for this. It’s a known issue as we’ve made some changes lately about this. You can read about this in

Launch of Issue Context Module - #48 by tbinna

Thanks,
James.

kyleberkland · February 15, 2024, 1:24am

Hi @jrichards ,
Due to our security policy, we do not allow unsafe-inline. Is there a plan to overcome this issue? Or provide a seperate css file?
Cheers

DanielDelCore · February 15, 2024, 10:59pm

Hey @kyleberkland

Could you share the specific package name that you’re having problems with? Is it @atlaskit/feedback-collector?

Also, do you have the new dark mode functionality enabled by any chance?

Cheers,
Dan.