Solution found to "CSP-violating eval error in javascript of new instance"

Hello all,
my old thread was locked due to inactivity: CSP-violating eval error in javascript of new instance

but i wanted to post that I finally found a solution to the problem I had encountered there, and I wanted to share the solution in case any other instance admins run into the same issue.

The symptom:

  • once I logged into my instance, i got a blank page with the following error messages in Firefox javascript console:
Uncaught EvalError: call to eval() blocked by CSP
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).

The diagnosis:

  • There are two sets of webpack config files included in the mastodon git checkout: in ~mastodon/live/config/webpack/ there is development.js and production.js.
  • development.js has the setting devtool: 'cheap-module-eval-source-map'
  • production.js by contrast has the setting devtool: 'source-map'
  • The development settings tell Webpack to use a method of bundling javascript which uses eval() statements in the output code, together with a content-security-policy header that allows eval(). (Easier debugging during development)
  • The production settings tell Webpack to use no eval() statements, with a content-security-policy header that disallows eval(). (More secure for production)
  • Somehow during mastodon installation, all my files had been compiled in development mode instead of in production mode. But they were getting served in production mode, with the stricter content-security-policy header, making the browser treat the eval()s as illegal.

The solution:

  • delete the old bundle files with rm -r ~mastodon/live/public/dist/js/*
  • (as mastodon user): npm run-script build:production to recompile javascript in production mode.
  • (as root user) systemctl restart mastodon-web mastodon-sidekiq mastodon-streaming to have mastodon re-read the newly compiled javascript bundles.

Hope this helps somebody.

A post was merged into an existing topic: CSP-violating eval error in javascript of new instance