|
|
|
|
|
Re: RAP and Content Security Policy [message #1850375 is a reply to message #1850293] |
Mon, 28 February 2022 09:05 |
Ivan Furnadjiev Messages: 2427 Registered: July 2009 Location: Sofia, Bulgaria |
Senior Member |
|
|
Hi Sebastien,
the "eval" is used by Browser widget, client scripting and JavaScriptExecutor. No other RAP client-side code requires the usage of "eval". What is your suggestion here?
Please open an enhancement request and create Gerrit changes with suggestions to improve the framework in this direction.
Best regards,
Ivan
[Updated on: Tue, 01 March 2022 09:40] Report message to a moderator
|
|
|
|
Re: RAP and Content Security Policy [message #1850397 is a reply to message #1850293] |
Tue, 01 March 2022 10:44 |
Ivan Furnadjiev Messages: 2427 Registered: July 2009 Location: Sofia, Bulgaria |
Senior Member |
|
|
Sebastien,
RAP framework is using 2 scripts by default:
1. inline script in rwt-index.html
2. RAP javascript client
We can add "nonce" attribute to them with predefined values in order to be used in the CSP. What do you think? For all other JS libraries registered in StartupPage we can also add "nonce" attribute with some kind of hash from the path.
But.... it will be better to open an enhancement request and continue the discussion there with your suggestions too.
Best regards,
Ivan
[Updated on: Tue, 01 March 2022 11:38] Report message to a moderator
|
|
|
|
Powered by
FUDForum. Page generated in 0.03973 seconds