Skip to content

fix: enable running axe-core in strict CSPs#1707

Merged
straker merged 2 commits into
developfrom
dequeDot
Jul 17, 2019
Merged

fix: enable running axe-core in strict CSPs#1707
straker merged 2 commits into
developfrom
dequeDot

Conversation

@straker

@straker straker commented Jul 17, 2019
edited
Loading

Copy link
Copy Markdown
Contributor

This allows running axe-core's critical path axe.run() in strict CSPs by using deque's fork of doT.js. It will not allow axe to run if the user has configured translations through axe.configure or if using custom rules.

You can verify that our fork of doT.js no longer causes a CSP violation with this codepen https://codepen.io/straker/pen/GVKwde

Linked issue: #1175

Reviewer checks

Required fields, to be filled out by PR reviewer(s)

  • Follows the commit message policy, appropriate for next version
  • Has documentation updated, a DU ticket, or requires no documentation change
  • Includes new tests, or was unnecessary
  • Code is reviewed for security by: Stephen

@straker straker requested a review from a team as a code owner July 17, 2019 16:28
stephenmathieson
stephenmathieson previously requested changes Jul 17, 2019
View reviewed changes

@stephenmathieson stephenmathieson left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our fork needs to be published to npm. Using GitHub this way will prevent us from having predictable/reproducible builds.

stephenmathieson
stephenmathieson approved these changes Jul 17, 2019
View reviewed changes

@stephenmathieson stephenmathieson left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is amazing.

I might call this a "feat" or "fix" to ensure it shows up in our changelog tho.

@straker straker changed the title chore: use deque fork of doT.js fix: use deque fork of doT.js which allows axe-core critical path to be used in strict CSP Jul 17, 2019
@straker straker changed the title fix: use deque fork of doT.js which allows axe-core critical path to be used in strict CSP fix: enable running axe-core in strict CSPs Jul 17, 2019
@straker straker merged commit cc5bd59 into develop Jul 17, 2019
@straker straker deleted the dequeDot branch July 17, 2019 19:51
WilcoFiers pushed a commit that referenced this pull request Jul 22, 2019
@straker @WilcoFiers
fix: enable running axe-core in strict CSPs (#1707)
60c29cb 
* chore: use deque fork of doT.js

* use npm package
@jayaddison jayaddison mentioned this pull request Dec 5, 2019
Merged
@MartinJJones MartinJJones mentioned this pull request Jun 27, 2022
Closed
kevindew added a commit to alphagov/govuk_publishing_components that referenced this pull request Dec 30, 2022
@kevindew
Remove the content security policy unsafe eval customisation
5e92c6f 
This use of unsafe_eval was required when we were using axe-core < 3.31
[1]. We are now using version 4.6.1 so can remove this code.

[1]: dequelabs/axe-core#1707
@kevindew kevindew mentioned this pull request Dec 30, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stephenmathieson stephenmathieson stephenmathieson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@straker @stephenmathieson