Update content security policy #2834
Labels
acknowledged
This issue has been triaged.
in progress
In progress issues are being worked on but may not be a high priority.
What
The content security policy (CSP) currently allows unsafe-eval for JS so that the component-guide browser can use AXE. Relevant project issues:
We can now remove the code that allows unsafe-eval for JS:
https://github.com/alphagov/govuk_publishing_components/blob/main/app/controllers/govuk_publishing_components/application_controller.rb#L13-L17
The issue was fixed in version 3.3.1 of axe-core:
dequelabs/axe-core#1707
We are currently using version 3.5.5:
https://github.com/alphagov/govuk_publishing_components/blob/main/yarn.lock#L360
The text was updated successfully, but these errors were encountered: