Opened 3 years ago

Closed 3 years ago

#18850 closed enhancement (invalid)

allow setting content-security-policy unsafe-eval mode via run-time configuration

Reported by: amb Owned by:
Priority: undecided Milestone: 1.11.3
Component: Core Version: 1.11.1
Keywords: Cc:
Blocked By: Blocking:

Description

It would be ideal if dojo would allow setting content-security-policy 'unsafe-eval' mode via run-time configuration.

This feature would allow consumers of dojo 1.11.1 to set a content-security-policy without using 'unsafe-eval'. Currently this is possible only as a build option, but consumers via CDN or other scenarios where building isn't available can not easily enable this option.

In my opinion, This would be better if this was the default, but I'm guessing it might break some things so perhaps it isn't practical to be default.

For reference, this is the error that is seen when dojo is loaded without 'unsafe-eval' set in the browser content-security-policy:

dojo.js:348 Uncaught EvalError?: Refused to evaluate a string as JavaScript? because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'". hasCache.host-browser @dojo.js:348(anonymous function) @dojo.js:1973 test.js:93

See this thread and it's follow-ons for discussion: http://mail.dojotoolkit.org/pipermail/dojo-interest/2016-May/085159.html

Change History (5)

comment:1 Changed 3 years ago by dylan

Component: GeneralCore
Milestone: tbd1.12

comment:2 Changed 3 years ago by Michael J Van Sickle

I've tried setting this option via the following dojoConfig and it does allow csp-restrictions to be set:

Code highlighting:

var dojoConfig = {
  ...
  has: {
    "csp-restrictions": [true|false]
  }
  ...
}

Please let us know if the problem persists using this configuration.

comment:3 Changed 3 years ago by Michael J Van Sickle

Status: newpending

comment:4 Changed 3 years ago by dylan

Milestone: 1.121.11.3

comment:5 Changed 3 years ago by trac-o-bot

Resolution: invalid
Status: pendingclosed

Because we get so many tickets, we often need to return them to the initial reporter for more information. If that person does not reply within 14 days, the ticket will automatically be closed, and that has happened in this case. If you still are interested in pursuing this issue, feel free to add a comment with the requested information and we will be happy to reopen the ticket if it is still valid. Thanks!

Note: See TracTickets for help on using tickets.