AG Grid Enterprise 28 is now using eval() which is blocked by our content-security-policy

[RuiMadeira]

I'm submitting a ...

[X] bug report => see 'Providing a Reproducible Scenario'
[] feature request => do not use Github for feature requests, see 'Customers of AG Grid'
[] support request => see 'Requesting Community Support'

Providing a Reproducible Scenario This is difficult to provide a reproducible scenario but basically is just building and deploying an app with version 28.0.0 of AG Grid, using also AG Grid Enterprise and then providing it through a server that serves a content-security-policy that doesn't allow the eval function (basically one without 'unsafe-eval').

Current behavior App won't load because of content-security-policy, giving out the error: "Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: [...]".

Code causing the issue:

Expected behavior App loads and uses AG Grid as normal. eval function should not be used since it's a security risk: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval

Please tell us about your environment: Linux Mint 20.3 Cinnamon Visual Studio Code NPM AgGrid for Angular

• AG Grid version: 28.0.0

• Browser: Google Chrome

• Language: TypeScript 4.7.4

[seanlandsman]

Hi,

Thanks for reporting this - we are aware of this issue and it's been fixed and will be available in our next release, currently scheduled for next week.

Our reference for this issue is AG-AG-6968.

thanks

[RuiMadeira]

Hi!

Thank you very much for the response. Looking forward to the release then.

Thanks

[seanlandsman]

Hi,

Version 28.1.0 have AG-Grid has been released, which includes a fix for this issue.

Thank you for reporting this.