search

mrpmorris / Fluxor

Fluxor is a zero boilerplate Flux/Redux library for Microsoft .NET and Blazor.
MIT License
1.24k stars 141 forks source link

JavaScript eval forces web apps to lower security levels #302

Closed mrpmorris closed 2 years ago

mrpmorris commented 2 years ago

<StoreInitializer> collects any required JavaScript from Middleware to include in the webpage.

This enables middleware to communicate with browser features to enable plugins such as ReduxDevTools.

Although it is not recommend that ReduxDevTools is used in any environment other than Debug this doesn't mean we can just stop executing that JS because third party libraries may exist that require it, such as Fluxor.Persist.

We need to support a way of retrieving this middleware as a JS file from the server so we can include a <script> in our page with an Integrity attribute => See here

mrpmorris commented 2 years ago

It seems this is not a problem in V5 as no eval is executed if there are no scripts.