Opened 3 years ago

Closed 3 years ago

#18907 closed defect (fixed)

Possible Content Security Policy violations

Reported by: Jolly42 Owned by:
Priority: undecided Milestone: 1.12
Component: General Version: 1.11.1
Keywords: Cc:
Blocked By: Blocking:

Description

I have been looking into using dojo with a Content Security Policy in place.

Whilst doing this I've found two places where dojo violates the unsafe-eval protection of CSP.

https://github.com/dojo/dojo/blob/master/_base/declare.js line 784 and https://github.com/dojo/dojo/blob/master/i18n.js line 470

Both of these make use of Function(string).

It was my, quite possibly erroneous, understanding that by adding csp-restrictions to the 'has' part of my dojo config, dojo would be placed in a CSP mode, for want of a better term, and would then not cause unsafe-eval violations.

I can provide a simple example if needed.

Change History (1)

comment:1 Changed 3 years ago by dylan

Milestone: tbd1.12
Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.