Can't use Elm asset when there is a Content Security Policy

[rachel-barrett]

Hi.

I'm making use of Parcel's built in support for Elm.

I'm doing this as part of an Electron app, which warns me if I have not set a content security policy in my 'index.html'.

But when I add the content security policy (<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';" />), the Elm injection using parcel is blocked. (The error message in the console says the unsafe eval is happening at Elm.Main.init > isFullScreenApp > elmSybol.)

This issue does not happen when I compile the Elm code directly without Parcel (using Elm make src/Main.elm --output src/elm.js).

So am I right to assume this is an issue with Parcel's support for Elm?
Is there anything I need to configure, or does this require a code change to Parcel?

I've created a minimal project that reproduces this issue here (commit 0b700e768d11a0a3abc66ffcacab6750a1ff8196).

[rachel-barrett]

Actually, to be more accurate, this issue only seems to affect parcel serve not parcel build. So it's not really that much of a problem since prod builds will use parcel build; It just means using parcel serve for dev requires different index.html for dev compared to prod, and creates a little bit of noise in the dev console.

[realistschuckle]

Hi, @rachel-barrett! I recently started an Electron + Elm app, too, and ran into the same problem. 😢

I know that this is like five years to late for you, but I fixed that problem (and a couple others, and added headless Elm support) to a fork of the elm-hot. 🚀

If you have the time and inclination, please upvote #10255 so we can get this added as the new dependency in @parcel/transformer-elm.

[rachel-barrett]

Thanks @realistschuckle!