openclawd/config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
config/projects/business/memory/bugs.md

1.3 KiB
Raw Blame History

Bug Tracker

Open

BUG-004: CSP blocks all inline JavaScript — CRITICAL ROOT CAUSE

  • Found by: Hoid (QA via Playwright)
  • Date: 2026-02-14
  • Severity: CRITICAL — blocks ALL frontend functionality
  • Description: Helmet middleware sets Content-Security-Policy that blocks inline scripts (script-src 'self'). The landing page uses inline <script> tags for signup modal, checkout, etc. CSP blocks them all silently. This is why signup and Pro checkout do nothing in the browser.
  • Console error: Executing inline script violates the following Content Security Policy directive 'script-src 'self''
  • Fix: Either (a) move all inline JS to an external .js file and serve it, OR (b) configure Helmet CSP to allow the specific inline script hash: sha256-XMJXl2xc7O04+e5iJVD+zNlWQvR+VzMuyVfzOlUW5MA=, OR (c) use nonces. Option (a) is cleanest.
  • Status: Open

Resolved

BUG-001: Signup form doesn't work in browser

  • Root cause: BUG-004 (CSP blocks inline JS)
  • Status: Will be fixed by BUG-004

BUG-002: Pro plan "Get Started" button non-functional

  • Root cause: BUG-004 (CSP blocks inline JS)
  • Status: Will be fixed by BUG-004

BUG-003: Console errors in browser

  • Root cause: BUG-004 (CSP blocks inline JS)
  • Status: Will be fixed by BUG-004