Content Security Policy is blocking the handlebars.js script in dist/handlebars.js

handlebars-lang / handlebars.js

Minimal templating on steroids.

http://handlebarsjs.com

MIT License

17.81k stars 2.04k forks source link

Content Security Policy is blocking the handlebars.js script in dist/handlebars.js #2033

Closed BalkrishnaBhat closed 1 day ago

BalkrishnaBhat commented 5 days ago

Handlebar widget in Apache Superset is not working when Content security policy is applied. This is because, handlebars.js scrip has Function.apply code which is not acceptable. In version 4.7.7, this code is at line 4135 ('return Function.apply(this, params);')

Untitled

If we set script-src to unsafe-eval, it works but unsafe-eval is not a recommended option for production system.

Is there a alternate way to handle this OR if there is any plan to resolve this in upcoming version

Thanks!!

jaylinski commented 1 day ago

This is a known issue. See issue #1934 for more information and workarounds.