Is this a hackmd.io issue?
What's the problem
Current behaviour
Opening the HackMD sign-in page triggers 17 Content Security Policy (CSP) errors in the browser console:
script-src directive blocks inline script execution and scripts from multiple external domains (YouTube, Google, Stripe, Sentry, Plausible, Tally, etc.)font-src directive blocks font loading from several URLs (16 occurrences)
The CSP header appears to be missing required domains in its whitelist, and lacks proper nonce or 'unsafe-inline' configuration for inline scripts.
Screenshot:
Steps to reproduce:
- Go to https://hackmd.io/login
- Open browser DevTools → Console tab
- Observe 17 CSP violation errors
Expected behaviour
The login page should load without CSP violations. All required external scripts (Google sign-in, Stripe, Sentry, analytics, etc.) and fonts should be whitelisted in the CSP header.
Environment
Desktop
- OS: iOS, win 11
- Browser: chrome, chrome
- Browser Version: Version 146.0.7680.75 (Official Build) (64-bit)
Additional context
The blocked domains include: youtube.com, gist.github.com, slideshare.net, vimeo.com, google.com, stripe.com, sentry-cdn.com, plausible.io, tally.so, among others. This suggests the CSP script-src directive needs updating to match the scripts actually loaded by the page.
Is this a hackmd.io issue?
What's the problem
Current behaviour
Opening the HackMD sign-in page triggers 17 Content Security Policy (CSP) errors in the browser console:
script-srcdirective blocks inline script execution and scripts from multiple external domains (YouTube, Google, Stripe, Sentry, Plausible, Tally, etc.)font-srcdirective blocks font loading from several URLs (16 occurrences)The CSP header appears to be missing required domains in its whitelist, and lacks proper
nonceor'unsafe-inline'configuration for inline scripts.Steps to reproduce:
Expected behaviour
The login page should load without CSP violations. All required external scripts (Google sign-in, Stripe, Sentry, analytics, etc.) and fonts should be whitelisted in the CSP header.
Environment
Desktop
Additional context
The blocked domains include:
youtube.com,gist.github.com,slideshare.net,vimeo.com,google.com,stripe.com,sentry-cdn.com,plausible.io,tally.so, among others. This suggests the CSPscript-srcdirective needs updating to match the scripts actually loaded by the page.