You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is not a general programming / coding question. (Those should be directed to the webtips Q & A forum).
This is not a source plugin (fileinput) issue. (Those should be directed to the plugin issues repo).
I have attempted to find the simplest possible steps to reproduce the issue.
I have included a failing test as a pull request (Optional).
Steps to reproduce the issue
Use the file widget anywhere and load the page.
This error is found in the console:
"[Report Only] Refused to load the stylesheet 'https://cdn.jsdelivr.net/npm/[email protected]/font/bootstrap-icons.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
[Report Only] Refused to load the font 'https://cdn.jsdelivr.net/npm/[email protected]/font/fonts/bootstrap-icons.woff2?856008caa5eb66df68595e734e59580d' because it violates the following Content Security Policy directive: "font-src 'self'".
[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'nonce-< nonce-key >'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
"
Expected behavior and actual behavior
When I follow those steps, I see the above issue where I need to whitelist all the URLs and these are the external links I do not want to use in my application. Also, the script tags are missing the nonce key which I cannot add by myself to the source code.
I expected to adhere to the CSP policy by not using external assets links. Also, the script tag needs "nonce-" to adhere to the CSP policy which cannot be added to the script tag by ourselves.
Prerequisites
masterbranch of yii2-widget-fileinput.Steps to reproduce the issue
"[Report Only] Refused to load the stylesheet 'https://cdn.jsdelivr.net/npm/[email protected]/font/bootstrap-icons.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
[Report Only] Refused to load the font 'https://cdn.jsdelivr.net/npm/[email protected]/font/fonts/bootstrap-icons.woff2?856008caa5eb66df68595e734e59580d' because it violates the following Content Security Policy directive: "font-src 'self'".
[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'nonce-< nonce-key >'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
"
Expected behavior and actual behavior
When I follow those steps, I see the above issue where I need to whitelist all the URLs and these are the external links I do not want to use in my application. Also, the script tags are missing the nonce key which I cannot add by myself to the source code.
I expected to adhere to the CSP policy by not using external assets links. Also, the script tag needs "nonce-" to adhere to the CSP policy which cannot be added to the script tag by ourselves.
Environment
Browsers
Operating System
Libraries
Isolating the problem
The text was updated successfully, but these errors were encountered: