1. Home
  2. Forum
  3. JavaScript - EJ 2
  4. Content Security Policy requires 'unsafe-eval' for script-src

Content Security Policy requires 'unsafe-eval' for script-src

Hello,

Using a strict Content Security Policy (CSP) with the DocumentEditor and DocumentEditorContainer components, we are requested to add the unsafe-eval parameter to our rules, as seen on the image below:

Image_8121_1698155894453

I have checked the Syncfusion docs on CSP errors, such as https://ej2.syncfusion.com/javascript/documentation/common/how-to/csp-errors, but none of the suggested solutions apply as we are not using rendering templates or adding images directly. Is it possible that the DocumentEditor or the DocumentEditorContainer components are doing this themselves?

I would be happy to help with any additional information.


9 Replies 1 reply marked as answer
GS Gayathri Swetha Magesh Syncfusion Team November 3, 2023 04:54 PM UTC

Hi Daniel,

Could you please share the version of the Document Editor component you are using? This information will be helpful for validation purposes.

Regards,

Gayathri Swetha M


DS Daniel Souza replied to Gayathri Swetha Magesh November 3, 2023 05:07 PM UTC

Hello Gayathri,

Sure, we are using version 22.1.41 of the Document Editor component.
Thank you for your time.

Regards,
Daniel Souza


CC Costas Constantinou November 13, 2023 06:35 PM UTC

Good day,


I can confirm this error is happening for me as well. I was able to pinpoint exactly where this error is happening when passing a template to a dataLabel on a pie chart. See screenshots attached.


This stops the pie chart from displaying.


@syncfusion/ej2-angular-charts": "^23.1.41"


Kind regards,

Jude Ugbefu

u


DS Daniel Souza replied to Costas Constantinou November 14, 2023 12:40 PM UTC

Hello Costas,

As far as I was able to understand this whole issue, your problem seems to be slightly different than mine as you are in fact using templates. In that case, this should be the intended behavior as you are providing a string to be evaluated, hence the need for the unsafe-eval.

You should be able to fix that by replacing the value of the template property from a string to a function. See: https://ej2.syncfusion.com/javascript/documentation/common/template#function-template

Let me know if that helps!

Kind regards, 
Daniel Souza


DS Daniel Souza replied to Gayathri Swetha Magesh November 14, 2023 12:42 PM UTC

Hello Gayathri, 

Was there any update on this issue? I would be happy to help with a PR if some guidelines were given.

Thank you for your attention.

Best regards,
Daniel Souza


KD Kesavan D Syncfusion Team November 16, 2023 09:35 AM UTC

We are facing issue due to one of our dependent component template issue. Currently we are validating on this will update further details by Nov 16 2023.


Regards,

Kesavan.


KD Kesavan D Syncfusion Team November 16, 2023 09:53 AM UTC

We request you to use "enableCsp" property to avoid this issue.

var documenteditorContainer = new ej.documenteditor.DocumentEditorContainer({ enableToolbar: true, height: '590px', enableCsp: true });

Regards,

Kesavan.


Marked as answer
DS Daniel Souza November 16, 2023 04:38 PM UTC

Hello Kesavan,

I can confirm that this has solved the issue for me!
Thank you for your time.

Best regards, 
Daniel


KD Kesavan D Syncfusion Team November 20, 2023 05:43 AM UTC

Daniel, We are glad to know the issue is resolved.


Loader.
Up arrow icon