Bug #25712
Updated by Clark ANDRIANASOLO about 1 month ago
In 8.2 only the "Utilities" menu in Rudder has strict CSP headers enabled, see #25032. This means @script@ tags need an unique valid @nonce@ attribute. But it appears that when loading theses pages, there are some CSP violations from some scripts that were added to render the "Status" tab in #25527, that have a different value than the one used for the script tags within the page. The behavior of the button is kept despite the CSP error and the error log that is produced : <pre> WARN application - Content security policy violation: blocked inline in http://localhost:8080/rudder/secure/utilities/archiveManagement?continue because of script-src-elem directive </pre> (notice that the violation is not enforced in dev mode which makes it not detectable unless we pay attention to error logs and console errors, because we have the @Content-Security-Policy-Report-Only@ header, we should also enforce it by only using @Content-Security-Policy@ and @X-Content-Security-Policy@ headers)