CSP violation detected for ‘script-src’

Forge Forge Platform and Tools
1

What on earth is going on here? Here’s the output from forge tunnel:


=== Running forge lint…
No issues found.

=== Bundling code…

Listening for requests…

Received proxy request. Serving file index.html for resource main from specified address http://localhost:3000
CSP violation detected for ‘script-src’ while serving content at http://localhost:8000/
For an app to share data with external resources or use custom CSP, follow the steps in: https://go.atlassian.com/forge-content-security-and-egress-controls

I have parcel JS running on port 3000. My manifest has the requisite tunnel: parameter.

resources:
  - key: main
    path: static/app/dist
    tunnel:
      port: 3000
  - key: icons
    path: src/icons
    tunnel:
      port: 3000
2

Oh, strike me purple! The problem has gone away. Some unknown combination of keystrokes in my failing attempts to restart everything made the problem disappear. For now. Fingers and toes crossed.

3

The problem is back again, and this time I can’t make it go away again. Something in the plumbing isn’t right, clearly.

4

Hello @david.pinn

I am having same problem. In my case trying to access the forge API from a custom UI application.

How did you manage to solve this?

6

I just close my eyes and pretend that everything will be ok.

7

have you tried adding

permissions:
  content:
    styles: unsafe-inline

in your manefest.yml file?

8

Thank you, Victor. Yes, I have that already.

9

sorry also:

scripts:
  - unsafe-inline
  - unsafe-eval
10

Yes, that seems to work, Victor, but isn’t it… err… unsafe?

11

but it work eh :slight_smile: lol…
honestly I have no idea, maybe use it only in development

12

Thanks. May I ask 2 questions please?

maybe use it only in development

  1. What does “unsafe-eval” mean?
  2. It’s not recommended to release the codes to Production environment?