Opened 5 years ago

Closed 5 years ago

#18960 closed defect (invalid)

ItemFileReadStore → xhr → fromJson → eval → Content-Security-Policy violation

Reported by: Anders Kaseorg Owned by:
Priority: undecided Milestone: tbd
Component: General Version: 1.12.1
Keywords: Cc:
Blocked By: Blocking:


It seems that ItemFileReadStore cannot work under a useful Content-Security-Policy, because it uses xhr with handleAs: "json-comment-optional", which calls fromJson, which is a wrapper around eval (rather than a real JSON parser like json.parse).

Can we just alias fromJson to json.parse? Or fix xhr’s json/json-comment-filtered/json-comment-optional handlers to use json.parse?

Change History (2)

comment:1 Changed 5 years ago by dylan

Status: newpending

The main reason this has not been addressed is that historically we try not break forwards compatibility with APIs.

So the right approach would have been to replace dojo/data to use dojo/request, but there was no way to do this without breaking the API, so instead only dojo/store and dstore rely on dojo/request.

Is there a reason that you cannot upgrade to use dstore/Memory, dstore/RequestMemory, or dojo/store/Memory (or dojo-smore/RequestMemory)?

comment:2 Changed 5 years ago by trac-o-bot

Resolution: invalid
Status: pendingclosed

Because we get so many tickets, we often need to return them to the initial reporter for more information. If that person does not reply within 14 days, the ticket will automatically be closed, and that has happened in this case. If you still are interested in pursuing this issue, feel free to add a comment with the requested information and we will be happy to reopen the ticket if it is still valid. Thanks!

Note: See TracTickets for help on using tickets.