Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] This project does not play well with CSP #101

Open
stoic-hugo opened this issue Oct 14, 2024 · 2 comments
Open

[Bug] This project does not play well with CSP #101

stoic-hugo opened this issue Oct 14, 2024 · 2 comments
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@stoic-hugo
Copy link
Contributor

stoic-hugo commented Oct 14, 2024

Hi! Very nice project you have here!

I added the CF Pages URL with the tracker JS to the script in content security policy, but then other elements also get blocked, like some inline images and styles. I would have to disable my CSP entirely to get this project to work. (Also had to set unsafe-inline due to the inline items)

@benvinegar benvinegar added bug Something isn't working good first issue Good for newcomers labels Oct 21, 2024
@benvinegar
Copy link
Owner

Hey @ka259 – thanks for highlighting this.

I haven't verified yet, but I'll take your word for it because I'd hadn't accounted for CSP at any point during this project (super ambarrassing, especially given I once gave a talk on CSP).

Will definitely be prioritizing.

@stoic-hugo
Copy link
Contributor Author

stoic-hugo commented Oct 21, 2024

Thanks for the reply and self-awareness. I will be waiting for that update with grace.

Here's some error messages to go by from my test using Hugo's server config (A really handy feature). The errors are mostly from the tracker.js file

Content-Security-Policy: The page’s settings blocked a script (script-src-elem) at https://counterscale-{site}.pages.dev/tracker.js from being executed because it violates the following directive: “script-src http://localhost:1313”

This one I am aware of, so nothing is needed from your side. I added https://counterscale-{site}.pages.dev/ to my headers file. (But perhaps this can be documented in the readme file.)

Content-Security-Policy: The page’s settings blocked the loading of a resource (img-src) at https://counterscale-{site}.pages.dev/collect?p=%2F&h=http%3A%2F%2Flocalhost&r=&sid={siteID} because it violates the following directive: “img-src http://localhost:1313”

This code img.src = url + stringifyObject(d); in the tracker.js file was singled out by the browser.

Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “style-src http://localhost:1313”

img.setAttribute("style", "position:absolute"); and document.body.appendChild(img); in tracker.js singled out. I had to add unsafe-inline to this attribute.

I also added the counterscale URL to the connect-src coz I am not sure if it is needed, but I tested Goatcounter (another analytics project) and adding the /collect endpoint was required.

cc @benvinegar. Hope that helps

@stoic-hugo stoic-hugo changed the title This project does not play well with CSP [Bug] This project does not play well with CSP Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Development

No branches or pull requests

2 participants