Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bull-master breaks with strict Content Security Policy headers #304

Open
jcarrillo7 opened this issue Mar 17, 2021 · 1 comment
Open

bull-master breaks with strict Content Security Policy headers #304

jcarrillo7 opened this issue Mar 17, 2021 · 1 comment

Comments

@jcarrillo7
Copy link

Using CSP headers which disallow unsafe inline scripts breaks bull master. From a quick look it looks like it is mainly due to how basePath is passed to the client.

The generated HTML ends up with:

<script>
      window.basePath = '.....'
</script>

Which breaks CSP (using helmet can be used to expose this). One alternative would be to provide a way to pass the per-request nonce to bull-master (or pick it up from res.locals if set there). Or just completely avoid this mechanism for passing the basePath to the client.
@hans-lizihan
Copy link
Owner

@jcarrillo7 thanks for the feedback, I could do a refactor to move basePath to session

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jcarrillo7 @hans-lizihan