-
Notifications
You must be signed in to change notification settings - Fork 258
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP blocking Lit for web component #549
Comments
I tried to repro this locally using the mesop from pip. Well, technically I tried creating the counter app described here: https://google.github.io/mesop/web_components/quickstart/ That seemed to work for me. It loaded lit correctly. No CSP issue. So it's curious why lit is being blocked for you locally. |
@ghchinoy can you include the Chrome DevTools console error messages that you're seeing? It will provide more details than the network tab (which I think you're screenshotting). |
Hmm, I also made a small svg component by itself and it works no blocked CSP, but my larger application still has an issue https://github.com/ghchinoy/mesop-svg-icon the console error, for posterity: Refused to load the script 'https://cdn.jsdelivr.net/gh/lit/dist@3/core/lit-core.min.js' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback. |
Looks like there was a CSP mis-configuration with the larger app (addressed in internal chat). Filed #566 to improve the developer experience for fixing these kinds of errors - thanks. |
Describe the bug
Lit (lit-core.min.js) being blocked by CSP with and without
page(allowed_script_srcs=["https://cdn.jsdelivr.net/gh/lit/dist@3/core/lit-core.min.js", "https://cdn.jsdelivr.net/]
on page with local and hosted mesopTo Reproduce
Steps to reproduce the behavior:
Create a minimal web component, whose JS's
render
method looks like so:with related component py:
and attempt to load it in the main.py and render.
Expected behavior
SVG (web component) renders without Lit being blocked :)
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop System Info
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: