Currently, Marko Widgets renders inline <script> tags on the server, uses eval() and it uses inline styles in a few places. Inline script and styles are not allowed with a strict CSP unless they tags are whitelisted using a nonce attribute. Also, eval() is currently used to parse sanitized JSON data sent from the server for performance reasons, but in CSP mode we should use JSON.parse().
Currently, Marko Widgets renders inline
<script>
tags on the server, useseval()
and it uses inline styles in a few places. Inline script and styles are not allowed with a strict CSP unless they tags are whitelisted using anonce
attribute. Also,eval()
is currently used to parse sanitized JSON data sent from the server for performance reasons, but in CSP mode we should useJSON.parse()
.Related issue for Lasso.js: https://github.com/lasso-js/lasso/issues/93