Hey is there a documentation somewhere about descope and CSP People Against Passwords #ask-a-descoper

Hey, is there a documentation somewhere about desc...

eager-rocket-96024

04/23/2023, 1:49 PM

Hey, is there a documentation somewhere about descope and CSP whitelist? I keep running into CSP errors fetching descope resources/URL’s.

great-diamond-35515

04/23/2023, 1:52 PM

hey Vladi! which error are you getting? is it possible that you have a CSP policy defined somewhere in the app?

eager-rocket-96024

04/23/2023, 1:58 PM

I do, i just need all the url’s descope uses, in order to allow them.

eager-rocket-96024

04/23/2023, 1:59 PM

It’s just very tedious now, adding the url that throws, deploying and waiting for more errors 🙂

great-diamond-35515

04/23/2023, 2:06 PM

reg urls, I believe that there are two • https://api.descope.com (used for communication to Descope services) • https://static.descope.com (used for downloading the flow assets screens/css/etc) lmk if that covers it, so we’ll improve docs / process 🙂

eager-rocket-96024

04/23/2023, 2:08 PM

Hmm,

Copy code

caught (in promise) EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in

Seems you are using eval somewhere in your sdk, and i really don’t want to allow it. It’s here: https://github.com/descope/descope-js/blob/0c3a0ebb51154fee93dc7044768c0d8befa50a71/packages/web-component/src/lib/descope-wc/DescopeWc.ts#L420

great-diamond-35515

04/23/2023, 2:10 PM

one sec I found some example that works

Copy code

default-src none;
    script-src 'unsafe-eval';
    connect-src <http://static.descope.com|static.descope.com>;
    style-src 'unsafe-inline' <http://static.descope.com|static.descope.com> <http://fonts.googleapis.com|fonts.googleapis.com>;
    img-src <http://static.descope.com|static.descope.com>;
    font-src <http://fonts.gstatic.com|fonts.gstatic.com>;

🙌 2

eager-rocket-96024

04/23/2023, 2:11 PM

That will work, but allowing

unsafe-eval

sucks, it makes the CSP kinda obsolete

great-diamond-35515

04/23/2023, 2:18 PM

right, we are aware of this gap and intend to improve it soon supporting good CSP requires some changes of the api of the sdk a bit @orange-belgium-27264 if you have further feedback about that, please share

orange-belgium-27264

04/23/2023, 2:19 PM

You're absolutely right @eager-rocket-96024 , we'll fix that soon

eager-rocket-96024

04/23/2023, 2:22 PM

Cool, i would appreciate if you can keep me updated on that, as for now im allowing

unsafe-eval

in our production env 🫣

👍 1

ancient-motorcycle-2291

04/23/2023, 2:28 PM

Sure, we will, you can also join #C04USJVE5GW for future updates.

🙌 1

colossal-appointment-48082

06/14/2023, 11:31 PM

bumping this! I really would prefer to not add unsafe-eval as well

salmon-night-88354

06/15/2023, 12:12 AM

@ancient-motorcycle-2291 @great-diamond-35515 FYI.

ancient-motorcycle-2291

06/15/2023, 6:23 AM

Yes, we are working on a solution for that, will let you know once implemented.

colossal-appointment-48082

06/15/2023, 3:04 PM

thank you!

Open in Slack

Previous Next