I’m trying to implement an OAuth flow to connect my team’s DAM to a Figma plugin to allow us to fetch assets from the DAM from Figma. At the moment I’m running into a CSP error when I try to use Figma.showUI.
Note: Using more generic URLs here
In main.ts:
figma.showUI(
`<script>window.location.href = "https://oauth.vercel.app"</script>`,
{height: 640, width: 440}
)
The full console error reads:
Refused to execute inline script because it violates the following Content Security Policy directive: “default-src data: blob: https://company.dam.com https://oauth.vercel.app”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Q+8tPsjVtiDsjF/Cv8FMOpg2Yg91oKFKDAJat1PPb2g=’), or a nonce (‘nonce-…’) is required to enable inline execution. Note also that ‘script-src’ was not explicitly set, so ‘default-src’ is used as a fallback.
I tested it by replacing window.location.href = "https://oauth.vercel.app" with my own personal website (and added my personal site’s URL to networkAccess.allowedDomains) which worked. I’m unsure now why I’m getting the inline script error.