Opened 6 years ago
Closed 6 years ago
#18850 closed enhancement (invalid)
allow setting content-security-policy unsafe-eval mode via run-time configuration
Reported by: | amb | Owned by: | |
---|---|---|---|
Priority: | undecided | Milestone: | 1.11.3 |
Component: | Core | Version: | 1.11.1 |
Keywords: | Cc: | ||
Blocked By: | Blocking: |
Description
It would be ideal if dojo would allow setting content-security-policy 'unsafe-eval' mode via run-time configuration.
This feature would allow consumers of dojo 1.11.1 to set a content-security-policy without using 'unsafe-eval'. Currently this is possible only as a build option, but consumers via CDN or other scenarios where building isn't available can not easily enable this option.
In my opinion, This would be better if this was the default, but I'm guessing it might break some things so perhaps it isn't practical to be default.
For reference, this is the error that is seen when dojo is loaded without 'unsafe-eval' set in the browser content-security-policy:
dojo.js:348 Uncaught EvalError?: Refused to evaluate a string as JavaScript? because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'". hasCache.host-browser @dojo.js:348(anonymous function) @dojo.js:1973 test.js:93
See this thread and it's follow-ons for discussion: http://mail.dojotoolkit.org/pipermail/dojo-interest/2016-May/085159.html
Change History (5)
comment:1 Changed 6 years ago by
Component: | General → Core |
---|---|
Milestone: | tbd → 1.12 |
comment:2 Changed 6 years ago by
comment:3 Changed 6 years ago by
Status: | new → pending |
---|
comment:4 Changed 6 years ago by
Milestone: | 1.12 → 1.11.3 |
---|
comment:5 Changed 6 years ago by
Resolution: | → invalid |
---|---|
Status: | pending → closed |
Because we get so many tickets, we often need to return them to the initial reporter for more information. If that person does not reply within 14 days, the ticket will automatically be closed, and that has happened in this case. If you still are interested in pursuing this issue, feel free to add a comment with the requested information and we will be happy to reopen the ticket if it is still valid. Thanks!
I've tried setting this option via the following dojoConfig and it does allow csp-restrictions to be set:
Code highlighting:
Please let us know if the problem persists using this configuration.