Fix CSP error - script-src directive

[yamafaktory]

Attempt to fix Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). presumably related to this commit 38758b3

cc/ @JohnTitor

[rust-highfive]

Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @sgrif (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

Please see the contribution instructions for more information.

[JohnTitor]

Attempt to fix Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

Hm, where did you find that error? I couldn't see that on the top page.

[yamafaktory]

@JohnTitor Sorry, this PR is definitely missing some context..

[yamafaktory]

@JohnTitor Basically, this is when you reach the detail view of any given crate. Before the chart was loaded and displayed next to the download statistics.

[yamafaktory]

Well, actually it's even visible on the top level, see this Chromium screenshot:

[JohnTitor]

Uhm, indeed 38758b3 touched CSP directive but it isn't deployed to the production yet. And seems the inline error is coming from your browser extension(s) since your private window on Chrome doesn't complain (these errors are by external resources, to me) but Firefox does.

[yamafaktory]

Ok, wasn't aware it was not deployed yet!

However, no matter if I open an incognito tab in Firefox or Chromium, I'm still getting the CSP error and the chart can be loaded and displayed.

See:

[yamafaktory]

@JohnTitor so it might simply be that your commit will fix that issue when deployed to production 🚀 !

[JohnTitor]

Ah got it! So, this looks good to me :)

[yamafaktory]

Thanks a ton @JohnTitor 🙇 !

[JohnTitor]

r? @jtgeibel since this(unsafe-inline) will affect the security.

[bors]

☔ The latest upstream changes (presumably #2480) made this pull request unmergeable. Please resolve the merge conflicts.

[jtgeibel]

Thanks for the PR @yamafaktory. I'm in the process of deploying the previous CSP changes and in staging they appear to resolve the CSP errors shown in the console. So fortunately it appears that adding unsafe-inline for script-src is unnecessary. That is good because I would worry that errors in README sanitation could lead to security issues if this was added.

Thanks again!

[yamafaktory]

@jtgeibel cool! Thanks for the feedback!