Topic: mdb.js violates csp unsafe-eval

gtwohig free asked 4 years ago


Expected behavior I should be able to include mdb.js from mdb pro without having to set a content-security-policy of script-src 'self' 'unsafe-eval' Actual behavior I get CSP violations there are two eval statements in mdb.js

Resources (screenshots, code snippets etc.) From inspector:

Content Security Policy: The page’s settings observed the loading of a resource at eval (“script-src”). A CSP report is being sent. mdb.js:17280:21

Content Security Policy: The page’s settings observed the loading of a resource at eval (“script-src”). A CSP report is being sent. mdb.js:17777:21


Logan Marshall priority commented 4 years ago

Completely agree.

I also posted this over on the github for MD bootstrap. Still haven’t had a response. This CSP issue is preventing an A+ security headers rating.

As many paying Pro customers here, it would be great to get a response here from MD bootstrap.


Grzegorz Bujański staff commented 4 years ago

Hi. We keep in mind that this error still occurs. We are currently planning a reflector for several components. We will check if errors are related to them and try to fix this. Best, Grzegorz.


Rushman1 free commented 4 years ago

Are there any work arounds for this issue? I am trying to use it and I keep geting errors that are stopping me.


Grzegorz Bujański staff commented 4 years ago

Hi. Can you say something more? What are you trying to use and what is stopping you?



Please insert min. 20 characters.

FREE CONSULTATION

Hire our experts to build a dedicated project. We'll analyze your business requirements, for free.

Status

Opened

Specification of the issue

  • ForumUser: Free
  • Premium support: No
  • Technology: MDB jQuery
  • MDB Version: 4.10.0
  • Device: PC
  • Browser: Firefox 70.0.1
  • OS: Ubuntu 18.04
  • Provided sample code: Yes
  • Provided link: No