CSP issues with issue collector implemetation

Hey ya team. Coming across an issue when implementing the issue collector in regard to CSP.
We include it within HTML like so:

<script type="text/javascript" src="https://xxxx.atlassian.net/xxxxx/com.atlassian.jira.collector.plugin.jira-issue-collector-plugin:issuecollector/com.atlassian.jira.collector.plugin.jira-issue-collector-plugin:issuecollector.js?locale=en-GB&collectorId=xxxx" nonce="{{ csp_nonce('script') }}"></script>

Which allows the script to run. But the inline styles within the script fail to be accepted by our CSP.
Error:

 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' ....

Is there a particular URL to add into style-src CSP? It complains about style-src-attr too which is not allowed in our CSP. I would’ve thought putting https://xxxx.atlassian.net in our style-src would solve the issue but still getting blocked. Any ideas?

Hi @kyleberkland,

Thanks for this. It’s a known issue as we’ve made some changes lately about this. You can read about this in

Thanks,
James.

1 Like

Hi @jrichards ,
Due to our security policy, we do not allow unsafe-inline. Is there a plan to overcome this issue? Or provide a seperate css file?
Cheers

Hey @kyleberkland :wave:

Could you share the specific package name that you’re having problems with? Is it @atlaskit/feedback-collector?

Also, do you have the new dark mode functionality enabled by any chance?

Cheers,
Dan.