26 lines
1.3 KiB
Markdown
26 lines
1.3 KiB
Markdown
# Bug Tracker
|
|
|
|
## Open
|
|
|
|
### BUG-004: CSP blocks all inline JavaScript — CRITICAL ROOT CAUSE
|
|
- **Found by:** Hoid (QA via Playwright)
|
|
- **Date:** 2026-02-14
|
|
- **Severity:** CRITICAL — blocks ALL frontend functionality
|
|
- **Description:** Helmet middleware sets Content-Security-Policy that blocks inline scripts (`script-src 'self'`). The landing page uses inline `<script>` tags for signup modal, checkout, etc. CSP blocks them all silently. This is why signup and Pro checkout do nothing in the browser.
|
|
- **Console error:** `Executing inline script violates the following Content Security Policy directive 'script-src 'self''`
|
|
- **Fix:** Either (a) move all inline JS to an external .js file and serve it, OR (b) configure Helmet CSP to allow the specific inline script hash: `sha256-XMJXl2xc7O04+e5iJVD+zNlWQvR+VzMuyVfzOlUW5MA=`, OR (c) use nonces. Option (a) is cleanest.
|
|
- **Status:** Open
|
|
|
|
## Resolved
|
|
|
|
### BUG-001: Signup form doesn't work in browser
|
|
- **Root cause:** BUG-004 (CSP blocks inline JS)
|
|
- **Status:** Will be fixed by BUG-004
|
|
|
|
### BUG-002: Pro plan "Get Started" button non-functional
|
|
- **Root cause:** BUG-004 (CSP blocks inline JS)
|
|
- **Status:** Will be fixed by BUG-004
|
|
|
|
### BUG-003: Console errors in browser
|
|
- **Root cause:** BUG-004 (CSP blocks inline JS)
|
|
- **Status:** Will be fixed by BUG-004
|