Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

embed a list into a websit throws errors on the console #3297

Open
jaschaurbach opened this issue Feb 28, 2024 · 1 comment
Open

embed a list into a websit throws errors on the console #3297

jaschaurbach opened this issue Feb 28, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@jaschaurbach
Copy link
Member

Describe the bug
Embedding a list from Bookwyrm into another site is a great. Unfortnuatly besides working it throws an error in the browser console whne added into a WordPress Site

To Reproduce
Embed a list via iframe into a wordpress site
Open this website and look into the console:

JQMIGRATE: Migrate is installed, version 3.4.1
b3218f9308a345d390181a26c466573b:21 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-sCpo3GzqUzMdw1KpB8Cf2LLeo4zuSCqQYFt6S+d8gKI='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

b3218f9308a345d390181a26c466573b:21 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-sCpo3GzqUzMdw1KpB8Cf2LLeo4zuSCqQYFt6S+d8gKI='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

The deferred DOM Node could not be resolved to a valid node.

As a living and working example you can use https://jascha.wtf/meine-veroeffentlichungen/
Expected behavior
no error in the console

Screenshots

Instance
several, e.g bookwyrm.de

Additional context
Add any other context about the problem here.
@jaschaurbach jaschaurbach added the bug Something isn't working label Feb 28, 2024
@Minnozz
Copy link
Contributor

Minnozz commented Mar 8, 2024
edited

This is caused by the Content-Security-Policy header that bookwyrm.de returns for the request to the URL in the iframe:

content-security-policy: script-src 'self'; default-src 'self'

This is the offending inline style:

<img class="image logo is-flex-shrink-0" style="height: 32px" src="/static/images/logo-small.png" alt="BookWyrm.de home page" loading="lazy" decoding="async">

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Minnozz @jaschaurbach