7

I have a selenium test developed in Selenium IDE. I have a step in this suite that should type a value in a text field. It fails at that step giving the following error: 

18. click on id=firstName Failed:11:12:59
call to eval() blocked by CSP

enter image description here

undetected Selenium
  • 183,867
  • 41
  • 278
  • 352
cristid9
  • 1,070
  • 1
  • 17
  • 37

3 Answers3

12

CSP

Content Security Policy (CSP) acts as a added layer of security that helps to detect and mitigate attacks including Cross Site Scripting (XSS) and data injection attacks. These attacks are primarily used for data theft and distribution of malware.

This error message...

call to eval() blocked by CSP

...implies that the add-on which is being used by the Selenium IDE doesn't include 'unsafe-eval' in CSP header.

As per the discussion Firefox add-on needs 'unsafe-eval' in CSP header the earlier version of Firefox were not able to detect Ember.js based application if the server sends the Content Security Policy header without 'unsafe-eval' in the script-src directive.

This issue was discussed at length within the discussion Convert Firefox add-on to use the Chrome WebExtension and was addressed through a installable WebExtension which can be found here.

Update

As per OP's comment an easier approach would be to tweak the following Key-Value within about:config which solves the issue:

security.csp.enable    off

Reference

You can find a relevant discussion in Refused to load the script because it violates the following Content Security Policy directive: script-src error with ChromeDriver Chrome and Selenium

undetected Selenium
  • 183,867
  • 41
  • 278
  • 352
  • 1
    Just turning `security.csp.enable` off in firefox `about:config` worked well for me – cristid9 Aug 09 '19 at 11:46
  • Are you just using the Selenium tests on a Dev server? If so I would leave CSP turned on for the Production server – Stephen R Sep 10 '19 at 12:56
  • Disabling `security.csp.enable` is no more available since Firefox 99 (see [Consider removing security.csp.enable pref](https://bugzilla.mozilla.org/show_bug.cgi?id=1754301)). Thus the updated solution doesn't work anymore. – Matthieu FAURE Apr 27 '22 at 14:55
2

Disabling CSP in about:config is no longer possible since Firefox 99.

Another solution consists in using a web extension, where you can be more selective on what you enable/disable.

Let say we want to authorize execution of JS (script-src: 'unsafe-eval') on https://www.example.org/:

First install the Firefox extension ModHeader (it is also available on other browsers). Once installed, open the panel:

Click on the + icon and add a Response header: as name type Content-Security-Policy and as value type script-src: 'unsafe-eval'.

Click on more time on the + icon and add a Filter. For the URL pattern type https:\/\/www.example.org/.

enter image description here

You may choose precisely what to enable/disable on CSP website.

Matthieu FAURE
  • 383
  • 3
  • 11
1

As has been mentioned, the security.csp.enable option has been removed as of Firefox 99. While there are third party extensions to allow manipulating the CSP header (as per this answer), be sure that the author is trustworthy.

There is also an official Mozilla extension that can be used too: Laboratory, with an associated Laboratory video tutorial.

Once installed, the basic steps:

  1. Open the site you'd like to test with Selenium IDE
  2. Click on the Laboratory extension
  3. Choose "Custom CSP policy"
  4. Add a permissive CSP as required e.g. allow everything
  5. Save the policy then run Selenium IDE as normal
Stephen S
  • 453
  • 2
  • 9