CSP issues with issue collector implemetation

Hey ya team. Coming across an issue when implementing the issue collector in regard to CSP.
We include it within HTML like so:

<script type="text/javascript" src="https://xxxx.atlassian.net/xxxxx/com.atlassian.jira.collector.plugin.jira-issue-collector-plugin:issuecollector/com.atlassian.jira.collector.plugin.jira-issue-collector-plugin:issuecollector.js?locale=en-GB&collectorId=xxxx" nonce="{{ csp_nonce('script') }}"></script>

Which allows the script to run. But the inline styles within the script fail to be accepted by our CSP.

 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' ....

Is there a particular URL to add into style-src CSP? It complains about style-src-attr too which is not allowed in our CSP. I would’ve thought putting https://xxxx.atlassian.net in our style-src would solve the issue but still getting blocked. Any ideas?

Hi @kyleberkland,

Thanks for this. It’s a known issue as we’ve made some changes lately about this. You can read about this in


1 Like

Hi @jrichards ,
Due to our security policy, we do not allow unsafe-inline. Is there a plan to overcome this issue? Or provide a seperate css file?

Hey @kyleberkland :wave:

Could you share the specific package name that you’re having problems with? Is it @atlaskit/feedback-collector?

Also, do you have the new dark mode functionality enabled by any chance?