Dhtmlx suite 4.2 - Content Security Policy

Ciprian · December 23, 2022, 2:48pm

Hello,

I’m working on an app which is using dhtmlxSuite 4.2 and was working on refactoring the code base in order to support Content Security Policy. For now we are removing the ‘unsafe-inline’ and we are using a nonce to secure inline scripts.

Could you please provide some information regarding dhtmlx suite 4.2, does it support CSP and if yes how can I configure it to support? I was looking over internet and I’m not able to find any relevant documentation for this version.

Our script-src directive in CSP header is:
script-src 'self' 'strict-dynamic' 'unsafe-eval' 'nonce-r4nd0m'

Currently the following error shows in browser:

 [Report Only] Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'unsafe-eval' 'nonce-xk0G314zlbshNaCyRmCZfqZNr3N8EEG3ZYSUkRvnfSs='
|dhtmlXCellObject._detachObject|@|dhtmlxcontainer.js:1010|
|---|---|---|
dhtmlXCellObject.unloadView|@|dhtmlxcontainer.js:356
dhtmlXCellObject._unload|@|dhtmlxcontainer.js:547
dhtmlXWindows._winClose|@|dhtmlxwindows.js:874
dhtmlXWindows._winButtonClick|@|dhtmlxwindows.js:1719
dhtmlXWindows._winMouseDownHandler|@|dhtmlxwindows.js:998
obj.callEvent|@|VM2422 dhtmlxcommon.js:929
_winOnMouseDown|@|dhtmlxwindows.js:259

sematik · December 30, 2022, 4:29pm

In the dhtmlxSuite sources there are eval functions due to the project functionality factor, so the CSP will block the scripts importing for the “unsafe-eval”.

Ciprian · December 30, 2022, 6:05pm

Yes, I’m aware of that, also I use ‘unsafe-eval’ in my CSP header for this reason. My initial question is related to the ‘unsafe-inline’ violation by the JQuery. Thank you tho for your time.