-
Notifications
You must be signed in to change notification settings - Fork 776
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Axe-core fails under strict content security policy due to eval script (EvalError) #1175
Comments
Thanks for reporting, and for digging into this. That's helpful. @stephenmathieson is this code we added or does this come from doT? Any thoughts on a workaround? |
@WilcoFiers the short answer is "both". The doT template engine uses both Last month, I tried to refactor the linked LOCs, but due to all of the |
Thanks @WilcoFiers and @stephenmathieson for the details. This issue is currently blocking us from integrating axe-core into our testing story. We don't have the option to change our SCP. I don't know to what extent axe-core requires a templating engine, but doT doesn't look like it's under active development and is stale. Has there been any thought for replacement? I'm sure there are comparable solutions from a perf perspective. Forking doT might be another option. Would be happy to provide assistance. Thanks! |
FYI this is a dupe of dequelabs/react-axe#54 and #1158 doT is not the only place where eval-likes are being used. I found a usage of To solve this issue, you need to refactor to not use dynamic code generation (e.g. replace things like The code in audit.js seems tricky to modify and I don't have enough context to be able to give a recommendation. Ideally, you should refactor the code so that |
Yeah, some of those eval |
Just to add a data point, we are also blocked from upgrading past |
The Axe-core library that govuk_publishing_components uses makes use of a dependency that uses the eval function so this directive is needed until that is removed. Relevant project issues: - dequelabs/axe-core#1175 - olado/doT#276
The Axe-core library that govuk_publishing_components uses makes use of a dependency that uses the eval function so this directive is needed until that is removed. Relevant project issues: - dequelabs/axe-core#1175 - olado/doT#276 This effects of this issue is that all use of component guides trigger CSP errors for every page view. Oddly this issue doesn't seem to be observable in Chrome when report only is on, but can be seen in Firefox.
Our efforts to support the Chrome Manifest V3 may provide a solution to this but that would be a breaking change and would require axe-core v4. Custom rules would break too - which would impact @muan |
The best we can do for now is to remove all |
No product docs required. |
@straker Is this testable by QA? I think we need a test site that has SCP. Need you inputs on it. Please close this issue if it is not testable by QA. |
QA can verify using the two CodePens: shows CSP error: https://codepen.io/drewlee/full/qJZZbx |
@chandana7393 Please test this. Let me know if you need help. |
@chandana7393 the pen you used for verification doesn't actually include the axe-core version that has the CSP fix patch. That was just simply a demo of a suggested fix, using v3.1.2. However, I've put up a new pen which includes v3.3.1 and have verified that it resolves the issue. See https://codepen.io/drewlee/full/zgWONO. Thanks everyone for addressing this! |
This adds the GOV.UK security policy to the dummy application of this gem. This means that when using this app in dev or viewing it at https://components.publishing.service.gov.uk/component-guide the GOV.UK CSP will apply. This also has to unfortunately allow unsafe-eval for JS so that the component-guide browser can use AXE. Relevant project issues: - dequelabs/axe-core#1175 - olado/doT#276
Hi... I am also facing the same issue with the Axe-core integration with Java. Currently, I am using the below dependency in POM.xml file
Any plan to fix this issue with Java integration as well? I can't update the dependency to 3.5. Any workaround which I can use to fix the issue. Please let me know. I am currently blocked due to this. |
Axe-core script fails under strict content security policy which disallows unsafe eval() executions. The source of the violations is stemming from the doT library and is documented here: olado/doT#276.
The issues can be attributed to two specific areas:
Mitigating these two areas of the script seems to resolve the issue as demoed under the fixed link below. It seems that this package (doT) is no longer under active development, and the owners do not care for addressing the security violations. It would be advisable to avoid this package altogether, if possible.
The text was updated successfully, but these errors were encountered: