axe not compatible with Content-Security-Policy (CSP)

[jplejacq-quoininc-com]

Product: axe-core

Expectation: Should work with website CSP

Actual: Violates CSP which causes problems rendering the page and with third party tools such as Chrome DevTools Lighthouse.

Motivation: Cannot have axe and use CSP

axe-core version: 4.18.2

• Platform: Linux
• Browser: Chrome 96

Please use the test site https://ettyproject.org/ for demonstration of issue.

[WilcoFiers]

@jplejacq-quoininc-com Can you give me steps reproduce the issue? Both Lighthouse and axe DevTools Extension are able to run successfully on the page you've shared. Was there anything you expect to happen that didn't?

We did fairly extensive work on supporting CSP in axe-core version 4.0.0. If there is an issue, that's certainly something that needs to be fixed. You'll have to give me a little more detail on how you've determined there is a CSP issue though.

[jplejacq-quoininc-com]

@WilcoFiers, thank you for looking into this.

The issue #13389 describes the issue. In summary:

• Chrome 96.0.4664.45 on Linux.
• axe DevTools 4.18.2 enabled
• Load page https://ettyproject.org
• Go to Chrome Developer Tools (Ctrl + Shift + I)
• Reload page (Ctrl + R)

DevTools Console will show the following error:

If you remove or disable axe, this error will not occur.

[dylanb]

@WilcoFiers the problem here is that the axe DevTools extension runs code on the page when it loads and this code creates an error log in the console. Extension team can take this from here.

Thanks @jplejacq-quoininc-com for the report