Removing unsafe-inline

christian · September 6, 2018, 4:07pm

I wondered if it was possible to use Dojo 1.x without unsafe-inline being present within the CSP?
I’ve tried removing this, however I get errors within dom-construct, _WidgetBase etc.

Is there anything we can do to alleviate these issues?

schallm · September 10, 2018, 2:28pm

Here is the tightest we have been able to lock things down.

		If DoesFileUpload(controller, action) Then
			scriptSrcExtra = "'unsafe-inline'"
			imageSrcExtra = "data:"
		End If
		response.AddHeader(
			"Content-Security-Policy",
				"default-src 'none';" +
				"font-src data:;" +
				"object-src 'self';" +
				$"script-src 'self' 'unsafe-eval' {scriptSrcExtra};" +
				"connect-src 'self';" +
				$"img-src 'self' {imageSrcExtra};" +
				"style-src 'self' 'unsafe-inline';" +
				"frame-src 'self';" +
				"manifest-src 'self';" +
				"report-uri /api/CspReport"
			)

Topic		Replies	Views
Content Security Policy with Dojo Dojo 1.x users	0	770	July 13, 2022
dijit/form/_FormSelectWidget:getOptions breaks without CSP unsafe-eval Dojo 1.x users	0	1399	March 12, 2021
Jsfiddle with dojo	5	1484	October 4, 2018
Unable to load dojo from localhost	0	77	May 23, 2024
Content Security Policy (CSP) and DWR DWR users	0	640	February 13, 2023

Removing unsafe-inline

Related Topics