Error "unsafe-eval" (CSP )

juanmendez · July 25, 2019, 1:25pm

The following error is thrown trying to access metabase using a subdomain
(ie. mysubdomain.example.com) Version: [v0.32.9]

mysubdomain.example.com/:37 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://maps.google.com https://apis.google.com https://www.google-analytics.com https://*.googleapis.com *.gstatic.com 'sha256-xlgrBEvjf72cXGba6bCV/PwIVp1DcbdhY74VIXN8fA4=' 'sha256-6xC9z5Dcryu9jbxUZkBJ5yUmSofhJjt7Mbnp/ijPkFs=' 'sha256-uKEj/Qp9AmQA2Xv83bZX9mNVV2VWZteZjIsVNVzLkA0='". Either the 'unsafe-inline' keyword, a hash ('sha256-1F0lw4Fmv8y6OvrkD3Kg93KSyCqdKFo5X4bnHBFS6zo='), or a nonce ('nonce-...') is required to enable inline execution.

Looks like it is related to CSP https://github.com/metabase/metabase/issues/10197 but the issue is stalled

flamber · July 25, 2019, 1:40pm

Hi @juanmendez
The issue hasn’t stalled, the core developers are just really busy working on other things.
It’s been given priority 1 and milestone 0.33 (that’s not a guarantee though).
It only happens on startup, so just do a browser refresh and you’ll see the login screen.

juanmendez · July 25, 2019, 1:55pm

It only happens on startup, so just do a browser refresh and you’ll see the login screen.

Sadly it doesn't work. the only way is accessing it via ip address.

flamber · July 25, 2019, 1:58pm

@juanmendez
Okay, then it’s not the same issue.
Which version of Metabase?
Are you using a proxy or load balancer or Cloudflare, that might be changing something?
Or maybe antivirus or a browser extension?