CSP violation detected for ‘script-src’

What on earth is going on here? Here’s the output from forge tunnel:


=== Running forge lint…
No issues found.

=== Bundling code…

Listening for requests…

Received proxy request. Serving file index.html for resource main from specified address http://localhost:3000
CSP violation detected for ‘script-src’ while serving content at http://localhost:8000/
For an app to share data with external resources or use custom CSP, follow the steps in: https://go.atlassian.com/forge-content-security-and-egress-controls

I have parcel JS running on port 3000. My manifest has the requisite tunnel: parameter.

resources:
  - key: main
    path: static/app/dist
    tunnel:
      port: 3000
  - key: icons
    path: src/icons
    tunnel:
      port: 3000
2 Likes

Oh, strike me purple! The problem has gone away. Some unknown combination of keystrokes in my failing attempts to restart everything made the problem disappear. For now. Fingers and toes crossed.

The problem is back again, and this time I can’t make it go away again. Something in the plumbing isn’t right, clearly.

Hello @david.pinn

I am having same problem. In my case trying to access the forge API from a custom UI application.

How did you manage to solve this?

1 Like

I just close my eyes and pretend that everything will be ok.

have you tried adding

permissions:
  content:
    styles: unsafe-inline

in your manefest.yml file?

Thank you, Victor. Yes, I have that already.

sorry also:

scripts:
  - unsafe-inline
  - unsafe-eval

Yes, that seems to work, Victor, but isn’t it… err… unsafe?

but it work eh :slight_smile: lol…
honestly I have no idea, maybe use it only in development

Thanks. May I ask 2 questions please?

maybe use it only in development

  1. What does “unsafe-eval” mean?
  2. It’s not recommended to release the codes to Production environment?

Hello @YY1 @luis.cruz @david.pinn @VictorAmadi ,

I am also getting the same error. What’s the solution for the production environment?

Not sure if this helps, but many years ago we found that using webpack’s eval-source-map option (which at the time was the recommendation for development) requires, as the name suggests, eval-ing code which in turn required us to add unsafe-eval to our manifest.

We asked whether there was any guidance for using a different set of permissions for dev vs production in a single manifest, but alas that was not supported:

We also tracked FRGE-1233 , but as with seemingly most Forge tickets that we’re interested in, this has remained stuck at “Gathering Interest” for over two years…

(Aside for any Atlassian’s looking: From out outsider’s perspective, there’s nothing more infuriating than the “Gathering Interest” status, which is where tickets go to die. If something is gathering interest for multiple years, then you should either decide to do it or mark is as “Won’t fix” so we can all move on with our lives.)

3 Likes

Thank you @scottohara ,
For sharing this background — it definitely helps us.