馃摎 Update docs with Helmet CSP support #701
Conversation
|
Will reopen after handling all edge cases |
| /** @by-us - adds graphiql support over helmet's default CSP */ | ||
| "'unsafe-inline'", | ||
| /** @by-us - adds graphiql support over helmet's default CSP */ | ||
| "'unsafe-eval'", |
There was a problem hiding this comment.
Why we need eval here?
The same goes for inline?
Maybe it's something we can address in GraphiQL?
There was a problem hiding this comment.
@IvanGoncharov For some reason chrome threw errors saying smth like "script violates security policy, please add unsafe-eval"
You can reproduce easily by removing these 2 lines from an express/graphiql server and opening graphiql -- a blank screen shows, and the above errors are logged
There was a problem hiding this comment.
I will try to fix our code to be CSP compliant in the next release.
It looks like unsafe-eval is required by GraphiQL you can help by submitting an issue there so the GraphiQL team can start working on it.
There was a problem hiding this comment.
probably has to do with our unpkg example and the script tag attributes we use? are we using cdn assets in this case?
There was a problem hiding this comment.
are we sure it's not caused by this?
https://github.com/graphql/express-graphql/blob/master/resources/load-statically-from-npm.js
I do not see this issue with chrome when visiting https://graphiql-test.netlify.com
There was a problem hiding this comment.
@acao It's probably because you not setting CSP for graphiql-test.netlify.com
Can you please try it with this snippet https://github.com/graphql/express-graphql/pull/701/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R359 ?
Related issue: apollographql/apollo-server#4648