Task #3068
closedGWT UI doesn't work on Chrome and Safari after Gerrit upgrade
0%
Description
This is a follow up of the Gerrit upgrade.
After switching to GWT UI on the bottom of Gerrit site,
the page is failing to load with this error message:
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' data:".
at <anonymous>:1:1
at m (gerrit_ui.nocache.js:formatted:219)
at gerrit_ui.nocache.js:formatted:233
at HTMLDocument.d (gerrit_ui.nocache.js:formatted:185)The reason is too strict custom content-security-policy:
content-security-policy: default-src 'none'; font-src 'self'; img-src 'self' https://bestpractices.coreinfrastructure.org https://scan.coverity.com https://*.documentfoundation.org; script-src 'self' 'unsafe-inline' data:; style-src 'self' 'unsafe-inline'; connect-src 'self'
The same Gerrit version 2.16.13 works as expected on Chrome
and Safari for LinuxFoundation site on GWT UI: [1].
Related issue upstream: [2]. The problem was already reported
on dev mailing list: [3].
[1] https://gerrit.fd.io/r/#/q/status:open
[2] https://bugs.chromium.org/p/gerrit/issues/detail?id=12134
[3] https://lists.freedesktop.org/archives/libreoffice/2020-January/thread.html#84102
Updated by Guilhem Moulin over 4 years ago
- Status changed from New to Closed
Done, temporarily weakened the CSP until we upgrade to 3.0 and drop GWT UI support.
Updated by David Ostrovsky over 4 years ago
Done, temporarily weakened the CSP until we upgrade to 3.0 and drop GWT UI support.
Thanks for the quick fix; it works as expected now.