Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP error when clicking on "Create your first Dashboard" #4039

Closed
jezdez opened this issue Aug 5, 2019 · 7 comments
Closed

CSP error when clicking on "Create your first Dashboard" #4039

jezdez opened this issue Aug 5, 2019 · 7 comments

Comments

@jezdez
Copy link
Member

jezdez commented Aug 5, 2019

Issue Summary

When clicking on the "Create your first Dashboard" link after setup I get a CSP error in the browser console.

Steps to Reproduce

  1. Setup Redash following the Docker dev docs.
  2. Setup a data source (e.g. the postgres container)
  3. Add a query
  4. Try to click on the "Create your first Dashboard"

I believe the change in 9480d89#diff-90812e4fcbcd1df5f887a43bda5953f5R125 resulted in the code that is run when clicking on the link to be considered inline, instead of the separate function before.

Technical details:

  • Redash Version: 8.0.0beta
  • Browser/OS: Firefox/macOS 10.14
  • How did you install Redash: Docker
jezdez referenced this issue Aug 5, 2019
@kravets-levko
[Feature] Migrate CreateDashboardDialog to React (#3826)
9480d89
@arikfr
Copy link
Member

arikfr commented Aug 6, 2019

What is the message you receive?

@jezdez
Copy link
Member Author

jezdez commented Aug 6, 2019

In Chrome (😬):

"Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution."

Screen-Shot-2019-08-06-14-49-45 93

@jezdez
Copy link
Member Author

jezdez commented Aug 6, 2019

I think this is about the difference between:

-            onClick={createDashboard}
+            onClick={() => CreateDashboardDialog.showModal()}

@kravets-levko
Copy link
Collaborator

@jezdez I think it may happen because of javascript:void(0) in Step component 🤔

@jezdez
Copy link
Member Author

jezdez commented Aug 6, 2019

Ah, that could be it?

@kravets-levko
Copy link
Collaborator

I think so. If you can experiment with it - try to remove javascript:void(0) there (use null or something like that instead), and check if the issue is still present or fixed.

@arikfr
Copy link
Member

arikfr commented Aug 12, 2019

@kravets-levko is correct. I will fix it.

arikfr added a commit that referenced this issue Aug 12, 2019
@arikfr
Fix: remove inline script to avoid CSP violation
8830f4f 
Closes #4039.
@arikfr arikfr mentioned this issue Aug 12, 2019
Merged
1 task
@arikfr arikfr closed this as completed in 685b536 Aug 12, 2019
@weekly-digest weekly-digest bot mentioned this issue Aug 19, 2019
Closed
harveyrendell pushed a commit to pushpay/redash that referenced this issue Nov 14, 2019
@arikfr @harveyrendell
Prevent CSP violations by not having script URLs (getredash#4062)
026d172 
* Fix: remove inline script to avoid CSP violation

Closes getredash#4039.

* Restore eslint rule that prevents javascript href attributes.

* Remove all inline script links.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jezdez @arikfr @kravets-levko