CSP violations

[jka]

Hello, I'm trying to use the Stimulsoft viewer using the npm package (similarly as the Integrating the Report Viewer into an Application (TypeScript) sample). All works fine so far, but I ran into some CSP issues and I couldn't find anything in the documentation and forum, so I decided to create a new topic here.

The thing is, I have a stricter content security policy set up on my site and I'm getting some violation errors because of that. I figured I have to allow unsafe-inline for styles and scripts to make the viewer work, but I wanted to ask if maybe there is some setting to disable inline scripts and styles or a possibility to add a nonce to whitelist the inline parts.

You can surely reproduce the issue when you add this meta tag to any of the examples' index.html and try to load reports like ChartStyle.mrt, MasterDetail.mrt or so on.

Code: Select all

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src 'self' data:; font-src data:">

If I edit the policy like this, the reports render fine, but it's not very desirable from the security point of view.

Code: Select all

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src data:">

[Lech Kulikowski]

Hello,

We need some additional time to investigate the issue, we will let you know about the result.

Thank you.
#8879