'unsafe-eval' is not an allowed ... Security Policy directive: "script-src 'self'

[jain0709]

trying to automate scenario for login https site getting following error :-

[DEBUG] WebPage - evaluateJavaScript result QVariant(QVariantMap, QMap(("status", QVariant(double, 13) ) ( "value" , QVariant(QVariantMap, QMap(("message", QVariant(QString, "Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' ".
") ) ) ) ) ) )
2015-03-27T20:34:57 [DEBUG] HTTP Response - Status Code 500 Internal Server Error

same test is working fine when using chrome browser. Running phantom js as :-

phantomjs --ignore-ssl-errors=true --web-security=false --ssl-protocol=tlsv1 --local-to-remote-url-access=true --webdriver=4444 --debug=true

seems some kind of bug with phantomjs.

[cdroulers]

I'm having the same issue when trying to log in through IdentityServer3 with PhantomJS 2. Chrome and PhantomJS 1.9.8 work just fine.

[jain0709]

Thanks for suggestion, It worked with PhantomJS 1.9.8

[zackw]

@jain0709 We don't want you to have to downgrade. If something worked in 1.9.x and doesn't in 2.0, that's something we should fix.

That said, we need quite a bit more information from you before we can do anything about this. Specifically, we need to know what website provoked this error, and how you were using PhantomJS to access it -- not just the command line invocation, but the script. If at all possible, construct a self-contained test script that we can run as

$ phantomjs issue13114.js

and see the same problem you are. It's OK if you need extra files or even a web server, just explain in enough detail that we can make it happen for ourselves.

Also, there's a decent chance this is a situation where the newer Webkit in 2.0 is refusing to do something insecure when the older one would let you get away with it. This is a guess, based on the text of the error message. I could be wrong.

Also also, you shouldn't ever need to use --ignore-ssl-errors=true or --web-security=false -- that suggests to me that you have major problems with the environment you're running PhantomJS in, and you may find that this problem vanishes if you sort those out first.

[cdroulers]

@zackw I'll see about creating a quick test case soon. The problem I was experiencing is that my app was doing a redirect (via JavaScript) to our authentication server, which was a different page, but on the same domain (virtual directories in IIS). I tried accessing the login page directly and it worked just fine.

[cdroulers]

@zackw Here's a commit with a test case that MIGHT be reproducing the issue. If not the right issue, it still is one I think! Vooban@a18eab4

Simply start a two web servers for the folder on port 8000 and 8001 and the output is something like :

success 8000
redirect caught
Operation canceled
http://localhost:8001/index2.html
failed http://localhost:8001/index2.html

[zackw]

@cdroulers That doesn't appear to have anything to do with Content-Security-Policy directives?

[cdroulers]

@zackw Nope. I caught this while trying to reproduce. I'm still unable to create a test case. The problem happens for me with a C# Selenium test case. Would it be okay to create a repro this way?

[zackw]

@cdroulers I think we can cope with that, if that's what you need to do to make it happen.

[cdroulers]

@zackw I've narrowed it down to a decent test case. If I try to render a page with a Content-Security-Policy in a phantomjs script, the page loads and renders in a screenshot fine. The JavaScript is not executed.

If I try to load that page with Selenium's RemoteWebDriver though, it fails with the error. I'm trying to create a very small and specific test case to reproduce it. Do you have a suggestion on how to write that test case with selenium in a language that would be easy to run for you? Ruby, Python, etc. I can figure out how to write it!

[zackw]

@cdroulers Anything you can possibly do to reproduce the issue without Selenium is worth doing, but beyond that, don't worry about languages; we're gonna have to rewrite it to fit it into our automated test suite anyway.

"The JavaScript is not executed", though, that might be enough of a clue right there. Which JavaScript exactly was that?

[cdroulers]

@zackw The JavaScript not being executed is inlined JavaScript, which the Content-Security-Policy header forbids. When I open the page in Chrome, nothing is executed and I get warnings in the developer console.

In Phantom, everything succeeds without warnings (that I can see!), the screenshot is taken properly. In the JavaScript, I try to write in the body, and the text does not appear in the body. So I think PhantomJS is handling everything just fine.

On the other hand, when I simply try to load the page in Selenium and then read the Url or Title of the IWebDriver, it fails with the error in the OP. I'm starting to think it's a problem with the Selenium Web Driver! Do you have any idea how it works for PhantomJS?

[cdroulers]

master...Vooban:master

Here's a diff of how I got a repro. The issue13114.js works fine (and doesn't execute the JS).

The Selenium test case crashes with the error from the OP. I'm not well versed with Selenium enough to know what exactly happens between the two when driver.Url is called.

[snowyu]

this happen on https://github.com now(phantomjs-2.1.1-windows)：

 1) Github test open URL Then  I expect that the url is "https://github.com/":
     Uncaught Error: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the
following Content Security Policy directive: "script-src assets-cdn.github.com".
 Uncaught Error: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the
following Content Security Policy directive: "script-src assets-cdn.github.com".

the phantomjs raise error:

[INFO  - 2016-02-24T13:47:49.812Z] GhostDriver - Main - running on port 4444
[INFO  - 2016-02-24T13:48:02.627Z] Session [3937fde0-dafd-11e5-ac6f-115b0bd0fe78] - page.settings - {"XSSAuditingEnabled":false,"javascriptCanCloseWindows":true,"javascriptCanOpenWindows":true,"javascriptEnabled":true,"loadImages":true,"localToRemoteUrlAccessEnabled":false,"userAgent":"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1","webSecurityEnabled":false}
[INFO  - 2016-02-24T13:48:02.627Z] Session [3937fde0-dafd-11e5-ac6f-115b0bd0fe78] - page.customHeaders:  - {}
[INFO  - 2016-02-24T13:48:02.627Z] Session [3937fde0-dafd-11e5-ac6f-115b0bd0fe78] - Session.negotiatedCapabilities - {"browserName":"phantomjs","version":"2.1.1","driverName":"ghostdriver","driverVersion":"1.2.0","platform":"windows-10-32bit","javascriptEnabled":true,"takesScreenshot":true,"handlesAlerts":false,"databaseEnabled":false,"locationContextEnabled":false,"applicationCacheEnabled":false,"browserConnectionEnabled":false,"cssSelectorsEnabled":true,"webStorageEnabled":false,"rotatable":false,"acceptSslCerts":false,"nativeEvents":true,"proxy":{"proxyType":"direct"}}
[INFO  - 2016-02-24T13:48:02.627Z] SessionManagerReqHand - _postNewSessionCommand - New Session Created: 3937fde0-dafd-11e5-ac6f-115b0bd0fe78
[ERROR - 2016-02-24T13:48:31.217Z] RouterReqHand - _handle.error - {"line":264,"sourceURL":"phantomjs://code/webelement_request_handler.js","stack":"_postValueCommand@phantomjs://code/webelement_request_handler.js:264:52\n_handle@phantomjs://code/webelement_request_handler.js:72:30\n_reroute@phantomjs://code/request_handler.js:61:20\n_handle@phantomjs://code/session_request_handler.js:120:42\n_reroute@phantomjs://code/request_handler.js:61:20\n_handle@phantomjs://code/router_request_handler.js:78:46"}

  phantomjs://platform/console++.js:263 in error

[edneypitta]

Same happening to me when I call Driver.Url. It worked with version 1.9.8.

Running on Selenium, C#.

[Ocramius]

Same issue here: seems to do that whenever trying to load anything with HTTPS, really.

Same as what @snowyu reported.

[spellfish]

I'm also seeing this issue as described by @snowyu. Running selenium, ruby.

[Ocramius]

@traviscooper thanks! Sorry, I misunderstood the solution then, that does indeed work if you have control over the server-side.

[travisjweber]

Oh yeah, most definitely need that control! Our same tests work with chrome's driver FYI, we were using that locally but it doesn't work with our builds so we [temporarily] relaxed the CSP so Phantom works until we can figure out something longer-term.

[tobias-sc]

Going through the replies seem temporary fix is to downgrade PhantomJS or modify CSP option for Identity Server....
In our case here we have to use at least 2.1 due its support of SSL certificates, also no access to the Identity Server - what would be the solution in this case?
It is mentioned to remove horseman? If yes, how or what is another option?

Thank you.

[peacetrader]

Hi, I am using this dependency in my sbt build :
"com.github.detro.ghostdriver" % "phantomjsdriver" % "1.0.1"
and by default it is using this combination :
"browserName":"phantomjs","version":"2.1.1","driverName":"ghostdriver","driverVersion":"1.2.0"
How to use the 1.9.8 version ?.

[alexmherrmann]

Seeing the same thing trying to interact with stripe website while authorizing an API. Works fine with chrome just like others have said.

[travisjweber]

We wound up creating an http proxy to strip out the csp directive for running our tests with phantomjs.

[jeff1985]

We encountered the same problem while trying to implement a behat test for SOFORT payment integration. Any progress here?

[jesg]

Any progress here?

it should work for every command but execute_script and execute_async_script in the next version of ghostdriver.

[javascriptlove]

In meteor we used this:

if (process.env.NODE_ENV === 'development') {
    BrowserPolicy.content.allowEval(); // for PhantomJS end-to-end testing
}

Which is something like this in raw content-security-policy header:

script-src 'self' 'unsafe-inline' 'unsafe-eval' http://localhost:3000 https://localhost:3000

[bobmshannon]

Also experiencing this issue.

[ssb22]

In Python's webdriver, even reading current_url (which calls execute("getCurrentUrl")['value']) raises a WebDriverException with the unsafe-eval complaint on affected sites. (Tested on PhantomJS 2.1.1.)

[travisjweber]

We've switched to using Selenium-Grid with Chrome and Internet Explorer, no more dealing with a headless browser just for our Selenium tests.

[bllevy]

Any updates on this issue?

[ssb22]

Not as far as I know. I work around it by telling PhantomJS to send its requests through my custom proxy, which (among other things) removes headers like Content-Security-Policy, if necessary breaking into SSL to do so (I disable PhantomJS's certificate checks). http://ssb22.user.srcf.net/adjuster/

[stephen-walsh]

also hitting this issue now 2.5 years later :(

[ssb22]

I guess that's partly because PhantomJS is no longer maintained, so this issue is now permanent. I'm planning on switching to Headless Chrome when they fix their problems with self-signed SSL https://crbug.com/721739 meanwhile I put an upstream proxy on PhantomJS's requests and remove headers like Content-Security-Policy so it doesn't see them.

[mesaleh]

PhantomJS latest stable version 2.1.1 has a bug when it tries to get a webpage that has the following response header:
content-security-policy: default-src 'none'

The Fix:
Branch 2.1.1, File: \phantomjs\src\qt\qtwebkit\Source\WebCore\page\ContentSecurityPolicy.cpp, Change line 354:

, m_allowEval(false)

To:

, m_allowEval(true)

Then build.py -r ... Enjoy!

[stale]

Due to our very limited maintenance capacity (see #14541 for more details), we need to prioritize our development focus on other tasks. Therefore, this issue will be automatically closed. In the future, if we see the need to attend to this issue again, then it will be reopened. Thank you for your contribution!