Opened 5 years ago
Closed 4 years ago
#18960 closed defect (invalid)
ItemFileReadStore → xhr → fromJson → eval → Content-Security-Policy violation
| Reported by: | Anders Kaseorg | Owned by: | |
|---|---|---|---|
| Priority: | undecided | Milestone: | tbd |
| Component: | General | Version: | 1.12.1 |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: |
Description
It seems that ItemFileReadStore cannot work under a useful Content-Security-Policy, because it uses xhr with handleAs: "json-comment-optional", which calls fromJson, which is a wrapper around eval (rather than a real JSON parser like json.parse).
Can we just alias fromJson to json.parse? Or fix xhr’s json/json-comment-filtered/json-comment-optional handlers to use json.parse?
Change History (2)
comment:1 Changed 5 years ago by
| Status: | new → pending |
|---|
comment:2 Changed 4 years ago by
| Resolution: | → invalid |
|---|---|
| Status: | pending → closed |
Because we get so many tickets, we often need to return them to the initial reporter for more information. If that person does not reply within 14 days, the ticket will automatically be closed, and that has happened in this case. If you still are interested in pursuing this issue, feel free to add a comment with the requested information and we will be happy to reopen the ticket if it is still valid. Thanks!
The main reason this has not been addressed is that historically we try not break forwards compatibility with APIs.
So the right approach would have been to replace dojo/data to use dojo/request, but there was no way to do this without breaking the API, so instead only dojo/store and dstore rely on dojo/request.
Is there a reason that you cannot upgrade to use dstore/Memory, dstore/RequestMemory, or dojo/store/Memory (or dojo-smore/RequestMemory)?