Removing unsafe-inline

christian · September 6, 2018, 4:07pm

I wondered if it was possible to use Dojo 1.x without unsafe-inline being present within the CSP?
I’ve tried removing this, however I get errors within dom-construct, _WidgetBase etc.

Is there anything we can do to alleviate these issues?

schallm · September 10, 2018, 2:28pm

Here is the tightest we have been able to lock things down.

		If DoesFileUpload(controller, action) Then
			scriptSrcExtra = "'unsafe-inline'"
			imageSrcExtra = "data:"
		End If
		response.AddHeader(
			"Content-Security-Policy",
				"default-src 'none';" +
				"font-src data:;" +
				"object-src 'self';" +
				$"script-src 'self' 'unsafe-eval' {scriptSrcExtra};" +
				"connect-src 'self';" +
				$"img-src 'self' {imageSrcExtra};" +
				"style-src 'self' 'unsafe-inline';" +
				"frame-src 'self';" +
				"manifest-src 'self';" +
				"report-uri /api/CspReport"
			)

Topic		Replies	Views
Content Security Policy with Dojo Dojo 1.x users	0	687	July 13, 2022
Dojo 1.14 Uploader (no multipart) Dojo 1.x users	6	2481	February 7, 2019
Closure compiler strict errors Dojo 1.x users	2	2309	June 9, 2020
Error loading dojo mobile 1.13.0 (1.12.2) under android chrome browser after update Dojo 1.x users	13	4036	February 24, 2018
dojoGrid(script error in IE browser and FireFox) Dojo 1.x users	0	2231	June 20, 2019

Removing unsafe-inline

Related Topics