I'm using Cypress and Axe to test my website for accessibility but it appears to be ignoring the content security policy (CSP) I have set using a meta tag.
When I run the test I get the following on cy.checkA11y():
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'"
However the target web page (andrewhick.com)'s source code contains the following:
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; ">
I tried googling the error, but can't find anyone else with a similar enough issue.
I also considered whether the issue was caching, but reopening Cypress (which I believe should clear the cache) didn't help and besides, Cypress clears the cache automatically.
It could be because the CSP is defined in a meta tag rather than on the server, but I don't believe that my hosting company allows access to the server.
The failing test is stored here.
Also unhelpful is the fact that the issue is intermittent and the suite did work once. I tried adding, removing and re-adding 'unsafe-eval' but the test results didn't correspond to whether the CSP had been updated or not. And although I'm not confident in Javascript, the test doesn't seem to have any obvious syntax errors. Can anyone help?