This repository was archived by the owner on Mar 19, 2021. It is now read-only.
This repository was archived by the owner on Mar 19, 2021. It is now read-only.
axe-cli hangs on websites with limited CSP #19
Description
Related to dequelabs/axe-webdriverjs#35, axe-cli hangs on websites that have a limited Content Security Policy (CSP). Because axe-cli injects a script to make sure you're on the same page (similar to how we used to do it in axe-webdriverjs), it can suffer from the same-origin policy depending on how that site is implemented.
How to reproduce:
- Update package.json to pull axe-webdriverjs@1.1.0
- Run axe-cli directly from this repository code on a site with limited CSP:
node index.js https://github.com/dequelabs/axe-webdriverjs/
- Observe axe-cli hang for the length of the script timeouts, or longer.
I commented out lines 32-43 to avoid the script tag creation and inject the script directly (that was our fix in axe-webdriverjs) but it threw this error:
WebDriverError: {"errorMessage":"Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"script-src assets-cdn.github.com\".\n","request":{"headers":{"Accept":"application/json; charset=utf-8","Connection":"close","Content-Length":"451487","Content-Type":"application/json;charset=UTF-8","Host":"localhost:4444"},"httpVersion":"1.1","method":"POST","post":"{\"script\":\"(function axeFunction(window) {}
I'll keep looking into it, but I wanted to document this while it was on the top of my head.