Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Addon A11y: Avoid CSP issue #24477

Merged

Conversation

Marklb
Copy link
Member

@Marklb Marklb commented Oct 15, 2023

Closes #24355

What I did

Ensure Ace result is a simple json object that doesn't contain named objects, because telejson will deserialize it in a way that violates: Content Security Policy directive: "script-src 'self' 'unsafe-inline'"

There may be a better way to handle this, such as just converting the CheckResult objects to a simple object, but I think all the Results object can be stringified, so I went with a simple naive approach: JSON.parse(JSON.stringify(result))

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

  • stories
  • unit tests
  • integration tests
  • end-to-end tests

I don't know if there is a good way to automate testing this. Maybe adding the CSP to an e2e test that runs addon-a11y. I can try to do that, if it would work, but I am not sure how, yet.

Manual testing

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

  1. Create a sandbox.
  2. Create a .storybook/manager-head.html containing:
<meta
  http-equiv="Content-Security-Policy"
  content="script-src 'self' 'unsafe-inline'"
/>
  1. Run the sandbox and check the devtools for a CSP error.

Documentation

  • Add or update documentation reflecting your changes
  • If you are deprecating/removing a feature, make sure to update
    MIGRATION.MD

Checklist for Maintainers

  • When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli/src/sandbox-templates.ts

  • Make sure this PR contains one of the labels below:

    Available labels
    • bug: Internal changes that fixes incorrect behavior.
    • maintenance: User-facing maintenance tasks.
    • dependencies: Upgrading (sometimes downgrading) dependencies.
    • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
    • cleanup: Minor cleanup style change. Will not show up in release changelog.
    • documentation: Documentation only changes. Will not show up in release changelog.
    • feature request: Introducing a new feature.
    • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
    • other: Changes that don't fit in the above categories.

🦋 Canary release

This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the @storybookjs/core team here.

core team members can create a canary release here or locally with gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=<PR_NUMBER>

@Marklb
Copy link
Member Author

Marklb commented Oct 27, 2023

Anything else that needs to be done for this or done differently?

@valentinpalkovic valentinpalkovic merged commit 9925d3b into storybookjs:next Oct 27, 2023
45 checks passed
@valentinpalkovic
Copy link
Contributor

Thanks @Marklb!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug]: CSP - unsafe-eval. SB7 with angular library shows CSP error.
3 participants