Content Security Policy

Question

Content Security Policy

sunfish opened this issue 3 months ago · 4 comments

Dear Tanel, in my typo3 12.4.11 installation using vimeovideo 1.1.0 I try to add a vimeo video from fileadmin vimeo record.
ajax-dispatcher.js sends an error:
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-HBqM27mCpBWfCcY8KRQYGCJmCeAeJ6YuhbFEcHdE4SfN7GpGYEXiyA' 'report-sample'".

Can anyone give me a tip on how to solve this problem? do I need to set a special content security policy directive? 'unsafe-eval' can't be the right solution?

Answer 1 · 2024-06-15T08:48:25.000Z

It's due to start and end time field evaluation that's inline right now and should be moved to external JS file. Will be done sooner or later, need to take time for it...

Answer 2 · 2024-06-21T08:14:44.000Z

Seeing how time seems to be an issue, is there a good, reliable workaround? Or a hint as to where this CSP is set and, hence, could be altered?

Answer 3 · 2024-06-25T10:49:34.000Z

I'm not sure there is one at the moment, not without altering the code.

Answer 4 · 2024-06-25T11:39:15.000Z

You can give it a try with the latest dev version now. No official release yet.