Skip to content
This repository has been archived by the owner on Mar 19, 2021. It is now read-only.

axe-cli hangs on websites with limited CSP #19

Open
marcysutton opened this issue May 2, 2017 · 6 comments
Open

axe-cli hangs on websites with limited CSP #19

marcysutton opened this issue May 2, 2017 · 6 comments

Comments

@marcysutton
Copy link
Contributor

marcysutton commented May 2, 2017

Related to dequelabs/axe-webdriverjs#35, axe-cli hangs on websites that have a limited Content Security Policy (CSP). Because axe-cli injects a script to make sure you're on the same page (similar to how we used to do it in axe-webdriverjs), it can suffer from the same-origin policy depending on how that site is implemented.

How to reproduce:

  1. Update package.json to pull [email protected]
  2. Run axe-cli directly from this repository code on a site with limited CSP:
node index.js https://github.com/dequelabs/axe-webdriverjs/
  1. Observe axe-cli hang for the length of the script timeouts, or longer.

I commented out lines 32-43 to avoid the script tag creation and inject the script directly (that was our fix in axe-webdriverjs) but it threw this error:

WebDriverError: {"errorMessage":"Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"script-src assets-cdn.github.com\".\n","request":{"headers":{"Accept":"application/json; charset=utf-8","Connection":"close","Content-Length":"451487","Content-Type":"application/json;charset=UTF-8","Host":"localhost:4444"},"httpVersion":"1.1","method":"POST","post":"{\"script\":\"(function axeFunction(window) {}

I'll keep looking into it, but I wanted to document this while it was on the top of my head.

@dylanb
Copy link
Contributor

dylanb commented Feb 5, 2018

Example site https://www.dunkman.me

@WilcoFiers
Copy link
Contributor

I did some searching today (also because I'm working on a related problem with Attest devtools). It looks like the only way to get around this is to disable CSP in user preferences. There are no dedicated flags available in Chrome of Firefox to turn it off, nor does webdriver fix this for us.
http://www.seleniumeasy.com/selenium-tutorials/firefox-profile-preferences-using-selenium-webdriver

Funny enough, when I was searching for solutions, this issue right here was just about the only thing I could find of someone trying to do this.

@dylanb
Copy link
Contributor

dylanb commented Feb 5, 2018

@WilcoFiers I think we could get around this by switching to puppeteer

I asked @stephenmathieson to look into this as part of what he is going to be working on

@WilcoFiers
Copy link
Contributor

I thought that only worked for Chrome, no?

@stephenmathieson
Copy link
Member

I thought that only worked for Chrome, no?

Yes, Puppeteer is designed to work with Chrome. It could technically work with anything that implements the DevTools Protocol, but I don't know of a browser other than Chrome that does this.

I'll be spending some time thinking about this and experimenting with potential solutions to this issue over the next few days.

@stephenmathieson
Copy link
Member

Has this been resolved?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants