Securing ZK without Unsafe-Eval and Unsafe-Inline CSP
General considerations
eval and inline script sources
Scripts loaded by web browsers can originate from many different type of sources, such as being loaded from an external file. Two of these sources that are important in regard to ZK's client engine are eval and inline.
eval source
The "eval" source expression controls code created by evaluating strings in the client's JavaScript engine. The ZK client engine uses evaluated scripts when building client-side objects. As a result, ZK clients require access to the "eval" source.
See the MDN CSP documentation for more information.
inline source
The "inline" source expression controls code declared inside `script` elements. The ZK client engine uses script elements to load itself during page creation, and to load additional library resources, such as wpd files containing widget classes.
<script>
//This is an inline script
function foo(){
return "bar";
}
</script>
See the MDN CSP documentation for more information.
Unsecured CSP for inline and eval scripts
A simple-to-implement but unsecured way to allow ZK scripts to use the eval and inline sources types is to simply declare the unsafe-inline and unsafe-eval sources to be allowed in the page.
Version History
Version | Date | Content |
---|---|---|