Javascript CSP Block

0
votes

I am new to metabase. I have downloaded the metabase source code and hosted it in the Ubuntu 16.04 LTS server.When I am starting the Metabase server with the "lein ring server" command, I get "java.awt.HeadlessException". I have read some where in the github issues only that it can be ignored. Front end is built with "yarn run build-hot" command. When accessing the front end from the browser, I get the following errors

Refused to load the script 'http://locahost:8080/app/dist/vendor.hot.bundle.js?222bfa78ab06d868cbf4' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' 'unsafe-eval' 'self' https://maps.google.com https://apis.google.com https://www.google-analytics.com https://*.googleapis.com *.gstatic.com localhost:8080".

Refused to load the script 'http://locahost:8080/app/dist/app-main.hot.bundle.js?222bfa78ab06d868cbf4' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' 'unsafe-eval' 'self' https://maps.google.com https://apis.google.com https://www.google-analytics.com https://*.googleapis.com *.gstatic.com localhost:8080".

1
javascriptanalyticsmetabase

1 Answers

0
votes

Its seems like CSP issue. U can fix this problem using 

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

<meta http-equiv="Content-Security-Policy" content="default-src 'self'  https://www.google.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com; style-src 'unsafe-inline' 'self' https://www.google.com; connect-src 'self' https://api.gole.in;img-src 'self' https://www.google.co.in/ads/ga-audiences; font-src 'self' data: https://fonts.gstatic.com;">

How to allow eval()?

I'm sure many people would say that you don't, since 'eval is evil' and the most likely cause for the impending end of the world. Those people would be wrong. Sure, you can definitely punch major holes into your site's security with eval, but it has perfectly valid use cases. You just have to be smart about using it. You allow it like so:

content="script-src 'unsafe-eval'"

Reference Link : https://content-security-policy.com/