Hi Hiedra,

In order to test this properly, we need to create an environment similar to
the royale.apache.org site. The backend sends a Content-Security-Policy
header, which is causing this issue with third-party resources getting
blocked.

When testing locally on our own computers, we can simulate the same
Content-Security-Policy header by adding the following <meta> tag to the
HTML file.

<meta http-equiv="Content-Security-Policy" content="default-src 'self'
data: blob: 'unsafe-inline' https://www.apachecon.com/
https://www.communityovercode.org/ https://analytics.apache.org/;
script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://analytics.apache.org/ https://www.apachecon.com/; style-src 'self'
'unsafe-inline' data:; frame-ancestors 'self'; frame-src 'self' data:
blob:; img-src 'self' data: https://*.apache.org/ https://www.apachecon.com/;
worker-src 'self' data: blob:;">

For TourDeJewel, we can add the <meta> tag to the following template file
to ensure that it gets included in the generated index.html file:

https://github.com/apache/royale-asjs/blob/examples/TDJ_localresources/examples/jewel/TourDeJewel/src/main/resources/jewel-example-index-template.html

However, you should not commit this change to the repo. I'm suggesting this
merely for testing locally to better simulate the environment on
royale.apache.org.

--
Josh Tynjala
Bowler Hat LLC
https://bowlerhat.dev/


On Tue, Mar 11, 2025 at 5:55 AM Maria Jose Esteve <mjest...@iest.com> wrote:

> First step done. I've included web-animations.min.js in Jewel's swc and
> modified the TabBarView.as class
> I've compiled royale-asjs with Maven and ant and then tested TDJ and
> everything works as expected. Can someone else try compiling the
> “examples/TDJ_localresources” branch and verify that there are no issues
> before merging it into develop?
>
> Thx
>
> Hiedra
>
> De: Josh Tynjala <notificati...@github.com>
> Enviado el: martes, 4 de marzo de 2025 17:45
> Para: apache/royale-asjs <royale-a...@noreply.github.com>
> CC: Maria Jose Esteve <mjest...@iest.com>; Comment <
> comm...@noreply.github.com>
> Asunto: Re: [apache/royale-asjs] Apache Royale Tour de Jewel - broken
> (Issue #1252)
>
>
> As an example, Jewel's TabBarView contains the following <inject_script>
> that links to a JS library on Cloudflare. That's not going to work anymore.
>
> <inject_script>
>
> var script = document.createElement("script");
>
> script.setAttribute("src", "
> https://cdnjs.cloudflare.com/ajax/libs/web-animations/2.3.1/web-animations.min.js
> ");
>
> document.head.appendChild(script);
>
> </inject_script>
>
> We're going to need to change TabBarView (and any other classes in
> royale-asjs that use <inject_script> to load files from CDNs) to provide
> that script file in a different way.
>
> I recently added a -js-include-script option to royale-compiler. That's
> probably our best bet. It includes the .js file in the .swc file (or in the
> compiled app), and it automatically adds a <script> tag to the .html file.
>
> In Jewel, we might use it like this (assuming that web-animations.min.js
> is added to our repo at that location):
>
> -js-include-script+=src/main/assembly/scripts/web-animations.min.js
>
> That means that we'll need to include web-animations.min.js in the Royale
> distribution. Hopefully, all of the scripts that we're referencing have
> compatible licenses that the ASF accepts.
>
> —
> Reply to this email directly, view it on GitHub<
> https://github.com/apache/royale-asjs/issues/1252#issuecomment-2698298577>,
> or unsubscribe<
> https://github.com/notifications/unsubscribe-auth/ANJL3U4PT7OIPW7D5EVNUED2SXJ7DAVCNFSM6AAAAABWNZIIOCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMOJYGI4TQNJXG4
> >.
> You are receiving this because you commented.Message ID:
> <apache/royale-asjs/issues/1252/2698298...@github.com<mailto:apache
> /royale-asjs/issues/1252/2698298...@github.com>>
> [joshtynjala]joshtynjala left a comment (apache/royale-asjs#1252)<
> https://github.com/apache/royale-asjs/issues/1252#issuecomment-2698298577>
>
> As an example, Jewel's TabBarView contains the following <inject_script>
> that links to a JS library on Cloudflare. That's not going to work anymore.
>
> <inject_script>
>
> var script = document.createElement("script");
>
> script.setAttribute("src", "
> https://cdnjs.cloudflare.com/ajax/libs/web-animations/2.3.1/web-animations.min.js
> ");
>
> document.head.appendChild(script);
>
> </inject_script>
>
> We're going to need to change TabBarView (and any other classes in
> royale-asjs that use <inject_script> to load files from CDNs) to provide
> that script file in a different way.
>
> I recently added a -js-include-script option to royale-compiler. That's
> probably our best bet. It includes the .js file in the .swc file (or in the
> compiled app), and it automatically adds a <script> tag to the .html file.
>
> In Jewel, we might use it like this (assuming that web-animations.min.js
> is added to our repo at that location):
>
> -js-include-script+=src/main/assembly/scripts/web-animations.min.js
>
> That means that we'll need to include web-animations.min.js in the Royale
> distribution. Hopefully, all of the scripts that we're referencing have
> compatible licenses that the ASF accepts.
>
> —
> Reply to this email directly, view it on GitHub<
> https://github.com/apache/royale-asjs/issues/1252#issuecomment-2698298577>,
> or unsubscribe<
> https://github.com/notifications/unsubscribe-auth/ANJL3U4PT7OIPW7D5EVNUED2SXJ7DAVCNFSM6AAAAABWNZIIOCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMOJYGI4TQNJXG4
> >.
> You are receiving this because you commented.Message ID:
> <apache/royale-asjs/issues/1252/2698298...@github.com<mailto:apache
> /royale-asjs/issues/1252/2698298...@github.com>>
>

Reply via email to