Hi, I am having a problem getting this loaded with my site's Content Security Policy below which is sent in header by Apache. I added URL to script in CSP's style-src and script-src sections.
Header set Content-Security-Policy "default-src 'none'; base-uri 'self'; frame-ancestors 'self'; frame-src 'self' https://discordapp.com; media-src 'self' https://ssl.gstatic.com; img-src 'self' https://www.google-analytics.com https://www.googletagmanager.com https://www.gstatic.com; connect-src 'self' https://www.google-analytics.com; font-src 'self' https://fonts.googleapis.com http://fonts.gstatic.com https://fonts.gstatic.com https://www.google-analytics.com https://maxcdn.bootstrapcdn.com http://maxcdn.bootstrapcdn.com; form-action 'self' https://api.sandbox.paypal.com https://www.sandbox.paypal.com https://secure.paypal.com https://www.paypal.com; style-src 'self' https://fonts.googleapis.com http://maxcdn.bootstrapcdn.com https://maxcdn.bootstrapcdn.com https://cdn.jsdelivr.net/npm/@joeattardi/[email protected]/dist/index.min.js; script-src 'self' https://kellypublishing.com https://www.google-analytics.com https://www.googletagmanager.com https://cdn.jsdelivr.net/momentjs/2.13.0/moment.min.js https://cdn.jsdelivr.net/npm/@joeattardi/[email protected]/dist/index.min.js; report-uri https://XXXXXX.com/scripts/cspReport.php;"
I tried loading it like:
<script src="https://cdn.jsdelivr.net/npm/@joeattardi/[email protected]/dist/index.min.js"></script>
get following error
I tried adding a single integrity hash calculated at https://www.srihash.org/.
<script src="https://cdn.jsdelivr.net/npm/@joeattardi/[email protected]/dist/index.min.js" integrity="sha384-2+4ak+EZAvYSg5sqFl6/fu1wxegjxZl52L8+Y4WQSSPlCUYia+2w33MeX9moB58o" crossorigin="anonymous"></script>
get the same error
with the three integrity hashes in above error message
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/@joeattardi/[email protected]/dist/index.min.js" integrity="sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= sha256-j+uGzTtOAr9ui9u6vep2KJDVEj8Ob+QZwv2PG/URCVc= sha256-UTjtaAWWTyzFjRKbltk24jHijlTbP20C1GUYaWPqg7E=" crossorigin="anonymous"></script>
get different error with a different hash
tried adding the fourth hash referenced in above error with
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/@joeattardi/[email protected]/dist/index.min.js" integrity="sha256-2zBSl0N0+jv0CCZBDFVUySEiCCsPhfowMQL7NFMdNXA= sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= sha256-j+uGzTtOAr9ui9u6vep2KJDVEj8Ob+QZwv2PG/URCVc= sha256-UTjtaAWWTyzFjRKbltk24jHijlTbP20C1GUYaWPqg7E=" crossorigin="anonymous"></script>
and get following error
which is the same error as when I just use
<script src="https://cdn.jsdelivr.net/npm/@joeattardi/[email protected]/dist/index.min.js"></script>
Then I tried like below.
<script src="https://cdn.jsdelivr.net/npm/@joeattardi/[email protected]/dist/index.min.js" /></script>
and adding 'unsafe-inline to style-src and script-src section of CSP and do not get any error.
I get all the same results above whether loaded locally or remotely.
Is it possible to get this working without having to add unsafe-inline to CSP? I recall awhile back I was not able to use Google's reCaptcha service due to I believe some inline code in the file they required, might this be the same reason this is not working with a CSP that does not allow unsafe-inline? If so, any workarounds or is such essential to this and likely other similar type emoji pickers?