CSP violation detected for ‘script-src’

david.pinn · May 18, 2024, 11:05am

What on earth is going on here? Here’s the output from forge tunnel:

…
=== Running forge lint…
No issues found.

=== Bundling code…

Listening for requests…

Received proxy request. Serving file index.html for resource main from specified address http://localhost:3000
CSP violation detected for ‘script-src’ while serving content at http://localhost:8000/
For an app to share data with external resources or use custom CSP, follow the steps in: https://go.atlassian.com/forge-content-security-and-egress-controls

I have parcel JS running on port 3000. My manifest has the requisite tunnel: parameter.

resources:
  - key: main
    path: static/app/dist
    tunnel:
      port: 3000
  - key: icons
    path: src/icons
    tunnel:
      port: 3000

david.pinn · May 18, 2024, 11:32am

Oh, strike me purple! The problem has gone away. Some unknown combination of keystrokes in my failing attempts to restart everything made the problem disappear. For now. Fingers and toes crossed.

david.pinn · May 19, 2024, 9:54am

The problem is back again, and this time I can’t make it go away again. Something in the plumbing isn’t right, clearly.

luis.cruz · July 4, 2024, 7:47pm

Hello @david.pinn

I am having same problem. In my case trying to access the forge API from a custom UI application.

How did you manage to solve this?

david.pinn · July 5, 2024, 4:11am

I just close my eyes and pretend that everything will be ok.

VictorAmadi · July 8, 2024, 12:09pm

have you tried adding

permissions:
  content:
    styles: unsafe-inline

in your manefest.yml file?

david.pinn · July 8, 2024, 12:28pm

Thank you, Victor. Yes, I have that already.

VictorAmadi · July 9, 2024, 8:11am

sorry also:

scripts:
  - unsafe-inline
  - unsafe-eval

david.pinn · July 9, 2024, 11:46am

Yes, that seems to work, Victor, but isn’t it… err… unsafe?

VictorAmadi · July 9, 2024, 11:54am

but it work eh lol…
honestly I have no idea, maybe use it only in development

YY1 · October 13, 2024, 4:43am

Thanks. May I ask 2 questions please?

maybe use it only in development

What does “unsafe-eval” mean?
It’s not recommended to release the codes to Production environment?

Sachin2 · September 19, 2025, 1:42am

Hello @YY1 @luis.cruz @david.pinn @VictorAmadi ,

I am also getting the same error. What’s the solution for the production environment?

scottohara · September 19, 2025, 3:01am

Not sure if this helps, but many years ago we found that using webpack’s eval-source-map option (which at the time was the recommendation for development) requires, as the name suggests, eval-ing code which in turn required us to add unsafe-eval to our manifest.

We asked whether there was any guidance for using a different set of permissions for dev vs production in a single manifest, but alas that was not supported:

We also tracked FRGE-1233 , but as with seemingly most Forge tickets that we’re interested in, this has remained stuck at “Gathering Interest” for over two years…

(Aside for any Atlassian’s looking: From out outsider’s perspective, there’s nothing more infuriating than the “Gathering Interest” status, which is where tickets go to die. If something is gathering interest for multiple years, then you should either decide to do it or mark is as “Won’t fix” so we can all move on with our lives.)

Sachin2 · September 19, 2025, 3:10am

Thank you @scottohara ,
For sharing this background — it definitely helps us.