Removing unsafe-inline


#1

I wondered if it was possible to use Dojo 1.x without unsafe-inline being present within the CSP?
I’ve tried removing this, however I get errors within dom-construct, _WidgetBase etc.

Is there anything we can do to alleviate these issues?


#2

Here is the tightest we have been able to lock things down.

		If DoesFileUpload(controller, action) Then
			scriptSrcExtra = "'unsafe-inline'"
			imageSrcExtra = "data:"
		End If
		response.AddHeader(
			"Content-Security-Policy",
				"default-src 'none';" +
				"font-src data:;" +
				"object-src 'self';" +
				$"script-src 'self' 'unsafe-eval' {scriptSrcExtra};" +
				"connect-src 'self';" +
				$"img-src 'self' {imageSrcExtra};" +
				"style-src 'self' 'unsafe-inline';" +
				"frame-src 'self';" +
				"manifest-src 'self';" +
				"report-uri /api/CspReport"
			)