Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: enable running axe-core in strict CSPs #1707

Merged
merged 2 commits into from
Jul 17, 2019
Merged

fix: enable running axe-core in strict CSPs #1707

merged 2 commits into from
Jul 17, 2019

Conversation

straker
Copy link
Contributor

@straker straker commented Jul 17, 2019

This allows running axe-core's critical path axe.run() in strict CSPs by using deque's fork of doT.js. It will not allow axe to run if the user has configured translations through axe.configure or if using custom rules.

You can verify that our fork of doT.js no longer causes a CSP violation with this codepen https://codepen.io/straker/pen/GVKwde

Linked issue: #1175

Reviewer checks

Required fields, to be filled out by PR reviewer(s)

  • Follows the commit message policy, appropriate for next version
  • Has documentation updated, a DU ticket, or requires no documentation change
  • Includes new tests, or was unnecessary
  • Code is reviewed for security by: Stephen

@straker straker requested a review from a team as a code owner July 17, 2019 16:28
Copy link
Member

@stephenmathieson stephenmathieson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our fork needs to be published to npm. Using GitHub this way will prevent us from having predictable/reproducible builds.

Copy link
Member

@stephenmathieson stephenmathieson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is amazing.

I might call this a "feat" or "fix" to ensure it shows up in our changelog tho.

@straker straker changed the title chore: use deque fork of doT.js fix: use deque fork of doT.js which allows axe-core critical path to be used in strict CSP Jul 17, 2019
@straker straker changed the title fix: use deque fork of doT.js which allows axe-core critical path to be used in strict CSP fix: enable running axe-core in strict CSPs Jul 17, 2019
@straker straker merged commit cc5bd59 into develop Jul 17, 2019
@straker straker deleted the dequeDot branch July 17, 2019 19:51
WilcoFiers pushed a commit that referenced this pull request Jul 22, 2019
* chore: use deque fork of doT.js

* use npm package
kevindew added a commit to alphagov/govuk_publishing_components that referenced this pull request Dec 30, 2022
This use of unsafe_eval was required when we were using axe-core < 3.31
[1]. We are now using version 4.6.1 so can remove this code.

[1]: dequelabs/axe-core#1707
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants