Dhtmlx suite 4.2 - Content Security Policy


I’m working on an app which is using dhtmlxSuite 4.2 and was working on refactoring the code base in order to support Content Security Policy. For now we are removing the ‘unsafe-inline’ and we are using a nonce to secure inline scripts.

Could you please provide some information regarding dhtmlx suite 4.2, does it support CSP and if yes how can I configure it to support? I was looking over internet and I’m not able to find any relevant documentation for this version.

Our script-src directive in CSP header is:
script-src 'self' 'strict-dynamic' 'unsafe-eval' 'nonce-r4nd0m'

Currently the following error shows in browser:

 [Report Only] Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'unsafe-eval' 'nonce-xk0G314zlbshNaCyRmCZfqZNr3N8EEG3ZYSUkRvnfSs='
obj.callEvent|@|VM2422 dhtmlxcommon.js:929

In the dhtmlxSuite sources there are eval functions due to the project functionality factor, so the CSP will block the scripts importing for the “unsafe-eval”.

Yes, I’m aware of that, also I use ‘unsafe-eval’ in my CSP header for this reason. My initial question is related to the ‘unsafe-inline’ violation by the JQuery. Thank you tho for your time.