CSP violation detected for ‘script-src’

What on earth is going on here? Here’s the output from forge tunnel:

=== Running forge lint…
No issues found.

=== Bundling code…

Listening for requests…

Received proxy request. Serving file index.html for resource main from specified address http://localhost:3000
CSP violation detected for ‘script-src’ while serving content at http://localhost:8000/
For an app to share data with external resources or use custom CSP, follow the steps in: https://go.atlassian.com/forge-content-security-and-egress-controls

I have parcel JS running on port 3000. My manifest has the requisite tunnel: parameter.

  - key: main
    path: static/app/dist
      port: 3000
  - key: icons
    path: src/icons
      port: 3000

Oh, strike me purple! The problem has gone away. Some unknown combination of keystrokes in my failing attempts to restart everything made the problem disappear. For now. Fingers and toes crossed.

The problem is back again, and this time I can’t make it go away again. Something in the plumbing isn’t right, clearly.

Hello @david.pinn

I am having same problem. In my case trying to access the forge API from a custom UI application.

How did you manage to solve this?

I just close my eyes and pretend that everything will be ok.

have you tried adding

    styles: unsafe-inline

in your manefest.yml file?

Thank you, Victor. Yes, I have that already.

sorry also:

  - unsafe-inline
  - unsafe-eval

Yes, that seems to work, Victor, but isn’t it… err… unsafe?

but it work eh :slight_smile: lol…
honestly I have no idea, maybe use it only in development