Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snow 2's CSP breaks Snow's inline scripts #132

Closed
mmndaniel opened this issue Jul 19, 2023 · 2 comments
Closed

Snow 2's CSP breaks Snow's inline scripts #132

mmndaniel opened this issue Jul 19, 2023 · 2 comments

Comments

@mmndaniel
Copy link
Contributor

mmndaniel commented Jul 19, 2023
edited
Loading 

var d = document.createElement('div');
document.body.appendChild(d);
d.innerHTML =  `<iframe
	srcdoc="<iframe></iframe>"</iframe>`;
frames[0][0].alert(1);

See console: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' blob:". .. etc. The CSP doesn't have a nonce/hash, so the inline scripts created by

snow/src/html.js

Line 9 in 77d1378

const getDocumentCurrentScriptHelper = `
and

snow/src/html.js

Line 14 in 77d1378

function makeStringHook(asFrame, asHtml, arg) {
won't execute.
@weizman
Copy link
Member

weizman commented Jul 19, 2023

Yea that's my bad... fair point.
I'll get to it 🙏

@weizman
Copy link
Member

weizman commented Aug 2, 2023

Snow 2 was a mistake #133

@weizman weizman closed this as completed Aug 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@weizman @mmndaniel