Opened 4 years ago
Closed 3 years ago
#18907 closed defect (fixed)
Possible Content Security Policy violations
| Reported by: | Jolly42 | Owned by: | |
|---|---|---|---|
| Priority: | undecided | Milestone: | 1.12 |
| Component: | General | Version: | 1.11.1 |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: |
Description
I have been looking into using dojo with a Content Security Policy in place.
Whilst doing this I've found two places where dojo violates the unsafe-eval protection of CSP.
https://github.com/dojo/dojo/blob/master/_base/declare.js line 784 and https://github.com/dojo/dojo/blob/master/i18n.js line 470
Both of these make use of Function(string).
It was my, quite possibly erroneous, understanding that by adding csp-restrictions to the 'has' part of my dojo config, dojo would be placed in a CSP mode, for want of a better term, and would then not cause unsafe-eval violations.
I can provide a simple example if needed.
Change History (1)
comment:1 Changed 3 years ago by
| Milestone: | tbd → 1.12 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Note: See
TracTickets for help on using
tickets.
This has been fixed for 1.12 which will be released this week. Specifically https://github.com/dojo/dojo/commit/98c00fc2674b369b85ad2752cc1e543102b96450 and https://github.com/dojo/dojo/commit/598c215e2247059c709802b69877542fdf88cc27