CSP violations on login page blocking inline scripts and font loading (17 errors) #430
Description
Is this a hackmd.io issue?
- Yes, the bug happens on https://hackmd.io
What's the problem
Current behaviour
Opening the HackMD sign-in page triggers 17 Content Security Policy (CSP) errors in the browser console:
script-srcdirective blocks inline script execution and scripts from multiple external domains (YouTube, Google, Stripe, Sentry, Plausible, Tally, etc.)font-srcdirective blocks font loading from several URLs (16 occurrences)
The CSP header appears to be missing required domains in its whitelist, and lacks proper nonce or 'unsafe-inline' configuration for inline scripts.
Screenshot:
Steps to reproduce:
- Go to https://hackmd.io/login
- Open browser DevTools → Console tab
- Observe 17 CSP violation errors
Expected behaviour
The login page should load without CSP violations. All required external scripts (Google sign-in, Stripe, Sentry, analytics, etc.) and fonts should be whitelisted in the CSP header.
Environment
Desktop
- OS: iOS, win 11
- Browser: chrome, chrome
- Browser Version: Version 146.0.7680.75 (Official Build) (64-bit)
Additional context
The blocked domains include: youtube.com, gist.github.com, slideshare.net, vimeo.com, google.com, stripe.com, sentry-cdn.com, plausible.io, tally.so, among others. This suggests the CSP script-src directive needs updating to match the scripts actually loaded by the page.