Skip to content

Fix range buttons blocked by CSP script-src-attr policy#142

Merged
TaprootFreak merged 1 commit intodevelopfrom
fix/monitoring-inline-onclick
Feb 14, 2026
Merged

Fix range buttons blocked by CSP script-src-attr policy#142
TaprootFreak merged 1 commit intodevelopfrom
fix/monitoring-inline-onclick

Conversation

@TaprootFreak
Copy link
Contributor

@TaprootFreak TaprootFreak commented Feb 14, 2026

Summary

  • Range buttons (24h/7d/30d) on BTC and USD monitoring pages are non-functional on production
  • Root cause: CSP header script-src-attr 'none' blocks all inline onclick event handlers
  • Fix: Replace onclick="loadChart('24h')" HTML attributes with addEventListener in the external JS files, using data-range attributes

Changes

  • monitoring-btc.html / monitoring-usd.html: onclickdata-range attributes
  • monitoring-btc.js / monitoring-usd.js: Add event listener registration at script load

Test plan

  • All 34 Playwright e2e tests pass (range switching, active button state, API calls)
  • yarn lint clean
  • yarn build successful
  • Verify range buttons work on dev.lightning.space after deploy

@TaprootFreak
Replace inline onclick handlers with addEventListener for CSP compliance
a360ca9 
CSP header 'script-src-attr: none' blocks inline event handlers on
the production site, making range buttons non-functional. Move click
handling to the external JS files using addEventListener on
data-range attributes.
@TaprootFreak TaprootFreak marked this pull request as ready for review February 14, 2026 17:02
@TaprootFreak TaprootFreak merged commit 71d9154 into develop Feb 14, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TaprootFreak