Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>There're multiple issues:</p> <ol> <li><p>The <code>Content-Security-Policy</code> (CSP) header does not work this way. CSP only has granularity of a single host+port combination (origin). If you cannot allow all scripts to have <code>unsafe-eval</code>, no script can have it. The only possible workaround is to not use a script that requires <code>unsafe-eval</code> (fortunately, MathJax no longer requires <code>unsafe-eval</code> since <a href="https://github.com/mathjax/MathJax/issues/256" rel="nofollow noreferrer">MathJax bug 256</a> was fixed).</p></li> <li><p>The <code>allow</code> syntax is an old Mozilla variant and should not be used. The current syntax is to say <code>default-src</code> followed by scheme or host names or origins that are allowed as source of everything and then override the default value for each sub type (e.g. <code>script-src</code>) as needed. Some sources may support additional source keywords in addition to <code>self</code>. For example, the <code>script-src</code> supports <code>unsafe-eval</code> which means that any script that is otherwise allowed to execute is allowed to run eval() or Function(), and <code>unsafe-inline</code> meaning that any piece of markup that can support some kind of inline script is allowed to execute. Allowing <code>unsafe-eval</code> may be acceptable but <code>unsafe-inline</code> is pretty much no-go with script-src (otherwise, you should not bother with the CSP at all).</p></li> <li><p>The correct syntax for <code>script-src</code> as follows:</p> <pre><code>script-src 'self' cdnjs.cloudflare.com </code></pre> <p>combined with loading MathJax from <a href="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.4/MathJax.js" rel="nofollow noreferrer">https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.4/MathJax.js</a></p></li> <li><p>MathJax also uses inline style attributes so following is needed (unless already allowed) or MathJax will raise <code>Exception</code> while trying to render the math:</p> <pre><code>style-src 'self' 'unsafe-inline' </code></pre> <p>It is not possible to use CSP to allow JS to insert style attributes and not have style attributes already inserted in the HTML source to have an effect.</p></li> <li><p>It seems that Firefox 13.0 (at least) does not immediately "call home" in case of CSP violation. Most of the violation reports do get submitted some time after the event. Chrome seems to be much more aggressive with the report submission which will make it a bit easier to test. From my experience, Firefox does not always send CSP report at all - it may be using some kind of heuristic to not send repeated messages.</p></li> </ol> <p>In the end, to make MathJax work with Content-Security-Protection, you need following headers (assuming you're using MathJax via CDNJS):</p> <pre><code>Content-Security-Policy: default-src 'self'; script-src 'self' cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline'; </code></pre> <p>Older browsers (e.g. Firefox 13) used to require extra parameters such as <code>options</code> or required using non-standard headere name such as <code>X-Content-Security-Policy</code> or <code>X-WebKit-CSP</code>. These hacks are no longer required because user agents support standard header nowadays. (<em>With the exception of MSIE in contrary to MS Edge.</em>)</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload