Is this a hackmd.io issue?
What's the problem
Current behaviour
Opening the HackMD sign-in page triggers 17 Content Security Policy (CSP) errors in the browser console:
script-src directive blocks inline script execution and scripts from multiple external domains (YouTube, Google, Stripe, Sentry, Plausible, Tally, etc.)font-src directive blocks font loading from several URLs (16 occurrences)
The CSP header appears to be missing required domains in its whitelist, and lacks proper nonce or 'unsafe-inline' configuration for inline scripts.
Screenshot:
Steps to reproduce:
- Go to https://hackmd.io/login
Is this a hackmd.io issue?
What's the problem
Current behaviour
Opening the HackMD sign-in page triggers 17 Content Security Policy (CSP) errors in the browser console:
script-srcdirective blocks inline script execution and scripts from multiple external domains (YouTube, Google, Stripe, Sentry, Plausible, Tally, etc.)font-srcdirective blocks font loading from several URLs (16 occurrences)The CSP header appears to be missing required domains in its whitelist, and lacks proper
nonceor'unsafe-inline'configuration for inline scripts.Steps to reproduce: