We use cookies to give you the best experience on our website. If you continue to browse, then you agree to our privacy policy and cookie policy. Image for the cookie policy date
  1. Home
  2. Forum
  3. JavaScript - EJ 2
  4. Content Security Policy without 'unsafe-eval' for script-src does not load the Grid Control

Content Security Policy without 'unsafe-eval' for script-src does not load the Grid Control

 We are using Grid and Chart controls in one of our Web Application Portal .For security reasons and company policies, we have to implement a stricter content security policy. 

 So if we don't use  'unsafe-eval' for script-src in Content Security Policy definition,  then the Grid control does not get loaded on the web page. We are seeing the below error in Javascript console.

EvalError: call to Function() blocked by CSP ej2.min.js:10:14836
 
Content Security Policy for the App : default-src 'self';style-src 'self' cdn.syncfusion.com fonts.googleapis.com 'unsafe-inline';font-src 'self' data: cdn.syncfusion.com fonts.googleapis.com fonts.gstatic.com ;frame-src www.google.com;img-src 'self' data: https:;object-src 'none'; script-src 'self' cdn.polyfill.io www.gstatic.com www.google.com ajax.googleapis.com fonts.googleapis.com;frame-ancestors 'none';

Only, if we add unsafe-eval to script-src , then it works.

However, the Chart controls works and get displayed without any issues.

Can you please let us know if Grid needs this 'unsafe-eval' to work ? I have attached the screnshot of the error.

Attachment: Temp_f4bb8356.zip

9 Replies
TS Thiyagu Subramani Syncfusion Team April 24, 2020 08:13 AM UTC

Hi Naveen, 

Thanks for contacting Syncfusion forum. 

Based on your reported information we have prepared a sample and in our sample the mentioned issue is not reproduced at our end. 

Please refer to the code and sample link. 

<meta charset="utf-8"> 
  <meta http-equiv="Content-Security-Policy" default-src 'self';style-src 'self' cdn.syncfusion.com fonts.googleapis.com 'unsafe-inline';font-src 'self' data: cdn.syncfusion.com fonts.googleapis.com fonts.gstatic.com ;frame-src www.google.com;img-src 'self' data: https:;object-src 'none'; script-src 'self' cdn.polyfill.io www.gstatic.com www.google.com ajax.googleapis.com fonts.googleapis.com;frame-ancestors 'none';> 



If still facing the issue, please share the below details. 

1. Share the complete Grid code example. 

2. If possible, replicate the issue in the attached sample. 

3. Syncfusion Package Version. 

Please get back to us, if you need any further assistance. 

Regards, 
Thiyagu S. 


NR NAVEEN RAAJU April 26, 2020 05:02 AM UTC

Thanks for the email.

I am able to replicate this scenario in a standalone program.

I have attached the zip file. Please run index.html to replicate this scenario with CSP having no 'unsafe-eval' in 'script-src'.

The other file index_working.html has a CSP with 'unsafe-eval' in 'script-src' and this is working fine.

Attachment: BrokerPortal_50e8bd9b.zip

NR NAVEEN RAAJU April 29, 2020 01:22 PM UTC

Hi,

 Any update on this ? Can you replicate the scenario ?

NR NAVEEN RAAJU May 1, 2020 05:09 PM UTC

Hi,

 Any updates on this ? Can you please respond on this ?

TS Thiyagu Subramani Syncfusion Team May 4, 2020 04:02 PM UTC

Hi NAVEEN,

 

Sorry for the delay.

 

Your reported issue will also be replicated by our side. As a consequence, we are currently validating this case with our source and will share more information on 6 May 2020. We appreciate your patience until that time. 

 

Please get back to us, if you need any further assistance.

 

Regards,

Thiyagu S


NR NAVEEN RAAJU May 6, 2020 04:37 AM UTC

Thanks for the update.

TS Thiyagu Subramani Syncfusion Team May 7, 2020 08:05 AM UTC

Hi NAVEEN, 

Thanks for your patience. 

Query : Content Security Policy Error  
  
We have validated and like to inform you that no "unsafe-eval" error will result from using Syncfusion component without any template functionality. Because when applying the template in the components, we need to control the DOM to insert or remove HTML elements for that “new Function” is used. But we're assuring that if Syncfusion components are used without any template functionality, there will be no CSP violation.  

Note: In your reported sample you are used templates in your application.  

Please get back to us, if you need any further assistance. 

Regards, 
Thiyagu S. 


NR NAVEEN RAAJU May 7, 2020 09:13 PM UTC

Thanks for the update . However, we have a requirement to include the templates as part of the Grid in the portal.  Do you have any solution for this ?

Do you have  a plan to address this issue in the future? Nevertheless, this is an issue when using the template feature in Grid.

TS Thiyagu Subramani Syncfusion Team May 8, 2020 12:34 PM UTC

Hi NAVEEN, 

Thanks for your update. 

Sorry for the inconvenienced.  

Currently we do not have support for content security policy with templates and there is no plan to address this support in the future.  

Please get back to us, if you need any further assistance. 

Regards, 
Thiyagu S. 


Loader.
Up arrow icon