From the Chrome console when accessing https://src.fedoraproject.org/rpms/bash/branches?branchname=master
Refused to connect to 'https://pdc.fedoraproject.org/rest_api/v1/component-branches/?active=false&type=rpm&global_component=bash' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
Also note, that the retired branches should be greyed out which makes the problem visible without looking at the Chrome console.
Metadata Update from @smooge: - Issue assigned to pingou - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: src.fp.o
<img alt="0001-distgit-content-security-policy-allow-connect-to-pdc.patch" src="/fedora-infrastructure/issue/raw/files/140a3a9e3afe04d269aa00cbc39f427911cff253c01fbb5cbc8b756a94e62f22-0001-distgit-content-security-policy-allow-connect-to-pdc.patch" />
connect-src should be enough for ajax requests: https://content-security-policy.com/
Applied in https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=8037fd8
I've also adjusted the config to allow calling mdapi: https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=df99777
My fix to mdapi doesn't quite seem to work though accessing https://src.fedoraproject.org/rpms/bash I still see some errors in the console. I'll see tomorrow about this.
my firefox complains about script-src rules with mdapi, try moving it to script-src
script-src
@jlanda good catch that was it! :)
It still fails because of mime-type mis-match but that's something to fix in mdapi, it's no longer a CSP issue.
Thanks! :)
Metadata Update from @pingou: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
I'm not so sure if the problem is on mdapi:
On a curl -I to https://mdapi.fedoraproject.org/rawhide/srcpkg/bash?callback=jQuery3410901376464649285_1574931632973&_=1574931632974 : content-type: application/json; charset=utf-8
content-type: application/json; charset=utf-8
and actually, is returning json, but firefox does not like json on a <script src>? should we change mdapi to set content-type to a javascript allowed one, complain to firefox por not allowing script srcs to application/json, or what? :D
Log in to comment on this ticket.