Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

jsPDF fails with CSP #3037

Closed
caranad opened this issue Dec 13, 2020 · 2 comments
Closed

jsPDF fails with CSP #3037

caranad opened this issue Dec 13, 2020 · 2 comments

Comments

@caranad
Copy link

caranad commented Dec 13, 2020

Hi everyone,

I'm working on an application that incorporates jsPDF in it, and also has some Content Security Policies embedded within it. Every time I keep running into an issue with document-cloner.ts with documentClone.write, and I'm literally at my wit's end how to diagnose it. I tried forking the repository and replacing the document.write with documentClone.body.appendChild but to no avail...

My Content Security Policy in Express/Node is as follows:
res.header('Content-Security-Policy', "require-trusted-types-for 'script'; img-src * 'self'; style-src-elem 'self' 'unsafe-inline'; default-src 'self'; script-src 'self' https://cdnjs.cloudflare.com 'unsafe-inline'; style-src 'self' 'unsafe-inline' ; object-src 'none'; base-uri 'self'; font-src 'self'; frame-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'self' blob: https://cdnjs.cloudflare.com/; connect-src 'self' https://firebasestorage.googleapis.com https://securetoken.googleapis.com https://www.googleapis.com;"),

Any suggestions on how to move forward? Either I have to move the stuff to the server-side, or find another service. Thanks

@github-actions
Copy link

This issue is stale because it has been open 90 days with no activity. It will be closed soon. Please comment/reopen if this issue is still relevant.

@ubergeoff
Copy link

ubergeoff commented Feb 18, 2022

Try with:

frame-src 'self' data:;

++ Side note and maybe unrelated: script-src 'unsafe-inline' is "unsafe"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants