--csp option doesn't work with noscript about tools HOT 7 CLOSED

I faced the exact same issue.

from tools.

I may hit the same problem.
I built my Chrome Apps with polymer and vulcanize --csp, and it worked on Chrome 35.
But it looks like Chrome 36 reports csp violation as,

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

It does not point the right error place, as index.html:1, but I can reproduce the similar error with <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-eval'; style-src 'unsafe-inline"> even on web apps over the https.

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

This case, console shows that the error happens at polymer.js:13.

My Apps imports core-toolbar that vkammerer said it used noscript.

Do you know any workaround for this?

from tools.

Refer to @robdodson comment on Polymer/polymer#613 (comment)

from tools.

Thanks, I'll track related issues.

FYI, I modified core-toolbar to have a dummy script and removed noscript attribute. It works for me as a quick workaround.

from tools.

Thanks @toyoshim ! I was facing the same issue and adding the dummy script with removing the noscript attr solved it for me too.

from tools.

Fixed by Polymer/polymer-bundler@e068dee. Using vulcanize --csp should result in no inline scripts injected at vulcanize-time or runtime due to noscript elements.

from tools.

👍

from tools.