Session 15: CSP bugs fixed, QA passed, marketing materials ready
This commit is contained in:
Hoid
parent
0cefaf71d1
commit
58bbc9965d
9 changed files with 456 additions and 19 deletions
|
|
@ -2,25 +2,50 @@
|
|||
|
||||
## Open
|
||||
|
||||
### BUG-004: CSP blocks all inline JavaScript — CRITICAL ROOT CAUSE
|
||||
### BUG-006: Copy button lacks visual feedback
|
||||
- **Found by:** Hoid (QA via Playwright)
|
||||
- **Date:** 2026-02-14
|
||||
- **Severity:** CRITICAL — blocks ALL frontend functionality
|
||||
- **Description:** Helmet middleware sets Content-Security-Policy that blocks inline scripts (`script-src 'self'`). The landing page uses inline `<script>` tags for signup modal, checkout, etc. CSP blocks them all silently. This is why signup and Pro checkout do nothing in the browser.
|
||||
- **Console error:** `Executing inline script violates the following Content Security Policy directive 'script-src 'self''`
|
||||
- **Fix:** Either (a) move all inline JS to an external .js file and serve it, OR (b) configure Helmet CSP to allow the specific inline script hash: `sha256-XMJXl2xc7O04+e5iJVD+zNlWQvR+VzMuyVfzOlUW5MA=`, OR (c) use nonces. Option (a) is cleanest.
|
||||
- **Severity:** LOW — cosmetic/UX
|
||||
- **Description:** After clicking "Click to copy" on the API key, the button text doesn't change to "Copied!" or provide any visual confirmation. The clipboard write itself works without errors (no CSP or JS errors), but the user has no feedback that the copy succeeded.
|
||||
- **Fix:** Add visual feedback in the copy handler (e.g., change button text to "Copied!" for 2 seconds).
|
||||
- **Status:** Open
|
||||
|
||||
## Resolved
|
||||
|
||||
### BUG-001: Signup form doesn't work in browser
|
||||
- **Root cause:** BUG-004 (CSP blocks inline JS)
|
||||
- **Status:** Will be fixed by BUG-004
|
||||
### BUG-004: CSP blocks all inline JavaScript — RESOLVED ✅
|
||||
- **Found by:** Hoid (QA via Playwright)
|
||||
- **Date:** 2026-02-14
|
||||
- **Resolved:** 2026-02-14
|
||||
- **Severity:** CRITICAL
|
||||
- **Description:** Helmet middleware CSP blocked inline `<script>` tags. Fixed by moving all JS to external `/app.js`.
|
||||
- **Verification:** Playwright test — zero page errors, zero console errors on load.
|
||||
- **Status:** RESOLVED
|
||||
|
||||
### BUG-002: Pro plan "Get Started" button non-functional
|
||||
- **Root cause:** BUG-004 (CSP blocks inline JS)
|
||||
- **Status:** Will be fixed by BUG-004
|
||||
### BUG-005: Inline onclick handlers blocked by CSP script-src-attr 'none' — RESOLVED ✅
|
||||
- **Found by:** Hoid (QA via Playwright)
|
||||
- **Date:** 2026-02-14
|
||||
- **Resolved:** 2026-02-14
|
||||
- **Severity:** CRITICAL
|
||||
- **Description:** All `onclick="..."` attributes were blocked by CSP. Fixed by replacing with `addEventListener` in app.js.
|
||||
- **Verification:** Playwright test confirmed all buttons functional:
|
||||
- "Get Free API Key" → opens signup modal ✅
|
||||
- Email submit → returns API key ✅
|
||||
- Copy button → no errors ✅
|
||||
- Close modal → works ✅
|
||||
- Pro "Get Started" → redirects to checkout.stripe.com ✅
|
||||
- **Status:** RESOLVED
|
||||
|
||||
### BUG-003: Console errors in browser
|
||||
- **Root cause:** BUG-004 (CSP blocks inline JS)
|
||||
- **Status:** Will be fixed by BUG-004
|
||||
### BUG-001: Signup form doesn't work in browser — RESOLVED ✅
|
||||
- **Root cause:** BUG-004 + BUG-005
|
||||
- **Resolved:** 2026-02-14 (via BUG-004/005 fixes)
|
||||
- **Status:** RESOLVED
|
||||
|
||||
### BUG-002: Pro plan "Get Started" button non-functional — RESOLVED ✅
|
||||
- **Root cause:** BUG-004 + BUG-005
|
||||
- **Resolved:** 2026-02-14 (via BUG-004/005 fixes)
|
||||
- **Status:** RESOLVED
|
||||
|
||||
### BUG-003: Console errors in browser — RESOLVED ✅
|
||||
- **Root cause:** BUG-004 + BUG-005
|
||||
- **Resolved:** 2026-02-14 (zero errors confirmed via Playwright)
|
||||
- **Status:** RESOLVED
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue