Freecodecamp: CSP stopping 'eval' from working in Firefox

Users have reported the same issue in Safari and Edge.

Yep, I've confirmed it with Edge, too. The error I see is:

CSP14312: Resource violated directive ‘default-src 'self' http: https: data: blob: 'unsafe-inline'’ in Content-Security-Policy: script eval. Resource will be blocked.

Firefox is a bit more forthcoming and says that it's the test-evaluator that's causing it. I did change that (https://github.com/freeCodeCamp/freeCodeCamp/pull/38011), so maybe it's related, but that was a week ago, so unless it's only just been pushed live I doubt it.

Anyway, weirdly, .dev also has a bunch of similar errors, but works regardless.

For reference the CSPs are

content-security-policy: default-src 'self' http: https: data: blob: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-eval';

for .dev and

content-security-policy: default-src 'self' http: https: data: blob: 'unsafe-inline' 'unsafe-eval'

for .org

Seeing the same error in mobile safari and mobile chrome on iOS

CSP is no fun.

We updated the CSP and this is resolved in our staging instance and should be resolved in our production instance soon (it may take a bit to cascade through the cache).

Please let us know after a few hours and close if resolved. Thanks.

(it may take a bit to cascade through the cache).

Is there a rough ETA? I'm still seeing the problem now (after 10 hours).

@ahmadabdolsaheb can you confirm it was resolved for you?

I'm with @ahmadabdolsaheb and it's working in Firefox for him, but not for me.

@scissorsneedfoodtoo are you and Ahmad getting the same CSPs?

@ojeytonwilliams, for the challenge page we have the same CSPs, but not for the /js/test-evaluator... files. Ahmad's test-evaluator files all have the updated CSPs, and mine just have default-src 'self' http: https: data: blob: 'unsafe-inline';.

Apparently CloudFlare don't modify CSPs, so presumably they're still using the old ones for some reason. It's a bit of a hacky long-shot, but could it be worth making a trivial change to test-evaluator, so that the hash updates and CloudFlare realises it needs to update its caches?

I think it's worth a shot. We could just add an extra newline to the file. What do you think @raisedadead?

It would need to be a change that didn't get minified away. Changing the indentation of the eval, for example.

Yes, that's true. I hoped we could add a comment somewhere but those get stripped out during minification. Changing the indentation of the eval or declaring a variable might be a good way to go about it.

Yep. I've made a PR that does just that, so that's available if we want to try that approach.

That was really fast! Thank you. Doing a quick test locally before merging.

Thanks again for your quick thinking and fix @ojeytonwilliams. @ahmadabdolsaheb deployed this to .org and it should be live in the next 25 to 30 minutes.

@scissorsneedfoodtoo, no problem! Seems fixed for me. Is it working for you now?

Yes, it's working on my end. @beaucarnes also tested it during the deployment and everything seems fixed now.

Thanks again for all your help with this. Think we can close this issue for now, but I'll keep an eye on the forum and Twitter to see if people are still having issues.