Skip to content

Commit 042f49a

Browse files
igbanamcursoragent
andauthored
Sentry top error solution (#5779)
**Story card:** [sc-XXXX](URL) ## Because The most frequently reported Sentry error is a Content Security Policy (CSP) violation for `Blocked style attribute from 'inline:'`. This is generating significant noise in Sentry due to nonces causing browsers to still report inline style/script attributes/elements, even when they are intended to be allowed. ## This addresses This PR updates the CSP initializer to explicitly allow `script_src_elem`, `script_src_attr`, `style_src_elem`, and `style_src_attr` directives in report-only mode. This change aims to eliminate the false-positive CSP reports related to inline styles and scripts, thereby reducing Sentry noise. ## Test instructions 1. Deploy this change. 2. Monitor Sentry for the `Blocked style attribute from 'inline:'` error (specifically `style-src-attr` CSP reports). 3. Confirm that the volume of these specific CSP reports significantly decreases or is eliminated. --- <p><a href="https://cursor.com/agents/bc-7631f173-1bf8-44bb-8dc5-a79b6e7c9373"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a>&nbsp;<a href="https://cursor.com/background-agent?bcId=bc-7631f173-1bf8-44bb-8dc5-a79b6e7c9373"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a>&nbsp;</p> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Igbanam <igbanam@users.noreply.github.com>
1 parent 03984a9 commit 042f49a

1 file changed

Lines changed: 7 additions & 0 deletions

File tree

config/initializers/content_security_policy.rb

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,13 @@
1515
policy.object_src(:none)
1616
policy.script_src(:self, :https, :unsafe_inline)
1717
policy.style_src(:self, :https, :unsafe_inline)
18+
# Nonces on script-src/style-src can make browsers ignore unsafe-inline for
19+
# element/attribute directives, which creates noisy CSP reports in Sentry
20+
# for our existing inline styles/scripts while the policy is report-only.
21+
policy.script_src_elem(:self, :https, :unsafe_inline)
22+
policy.script_src_attr(:self, :https, :unsafe_inline)
23+
policy.style_src_elem(:self, :https, :unsafe_inline)
24+
policy.style_src_attr(:self, :https, :unsafe_inline)
1825
policy.connect_src(:self, :https, "http://localhost:3035", "ws://localhost:3035") if Rails.env.development?
1926

2027
report_uri = Addressable::URI.parse(ENV["SENTRY_SECURITY_HEADER_ENDPOINT"])

0 commit comments

Comments
 (0)