Sentry-javascript: Gives error without CSP style-src 'unsafe-inline'

Created on 12 Apr 2019  路  7Comments  路  Source: getsentry/sentry-javascript

Package + Version

  • [x] @sentry/browser

Version:

5.0.8

Description

While using example setup for angular, I get error
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src .... I tried adding nonce to the sentry script tag and also added sha256- from the error message but it still occured.

My setup was easy, followed instructions on your page.
https://docs.sentry.io/platforms/javascript/angular/#angularjs-1x -> used the standalone part.
Also added urls following your CSP :
https://forum.sentry.io/t/required-content-security-policy/4484 -> updated the script-src value to add https://browser.sentry-cdn.com

Error traces back to:
sentryWrapped | @ | helpers.ts:84
that is:
return fn.apply(this, wrappedArguments);

picture ilmartyrk

Most helpful comment

A way to tell Sentry not to inline the CSS through a loadStyles param would be great to avoid this issue:

Sentry.showReportDialog({
  eventId: 0,
  loadStyles: false
});
picture hugmanrique on 31 Oct 2019
👍2

All 7 comments

So just to make clear, you fixed this by adding unsafe-inline?

HazAT picture HazAT on 12 Apr 2019

Yes, that fixed it

ilmartyrk picture ilmartyrk on 12 Apr 2019

Since this isn't really a bug with the SDK I will close this issue. I hope people running into this will find the issue. Adding this to the docs is also not crystal clear since the solution heavily depends on your individual setup.

HazAT picture HazAT on 16 Apr 2019
👍1

@HazAT, I'll try to find the cause of this problem and when I get my head around it, I'll post the info in here :)

ilmartyrk picture ilmartyrk on 16 Apr 2019
🚀1

I get the same error when I try to display the User Feedback Dialog! As a workaround, we're just going to load the CSS manually.

teriu picture teriu on 1 Sep 2019

A way to tell Sentry not to inline the CSS through a loadStyles param would be great to avoid this issue:

Sentry.showReportDialog({
  eventId: 0,
  loadStyles: false
});
hugmanrique picture hugmanrique on 31 Oct 2019
👍2

@hugmanrique this would have to be implemented inside Sentry itself first, as the SDK just includes a script which then creates an iframe. https://github.com/getsentry/sentry

kamilogorek picture kamilogorek on 8 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

THPubs picture THPubs  路  3Comments
hinok picture hinok  路  3Comments
jaylinski picture jaylinski  路  3Comments
grigored picture grigored  路  3Comments
dimmduh picture dimmduh  路  3Comments