Open mirkolugano opened 7 years ago
rniemeyer
commented
7 years ago Here is a basic fiddle with knockout-secureBindings on: https://jsfiddle.net/rniemeyer/nxcdn69c/.
Can you describe a bit how to best test it out? I am trying the "CSP Tester" extension for Chrome, but not sure that I am configuring it correctly.
mirkolugano
commented
7 years ago Thanks for the feedback. To configure Content Security Policy I specify this in the web.config (C# web project):
`
</system.webServer>`
I reproduced the fiddle on a simple "test.html" page on my dev machine and it worked. I then added to that test page all the scripts I use in my app and it didn't work any more. I then removed the scripts one by one and the one causing problems was jquery.tmpl. I removed it from my app (not sure I need it anymore, maybe some old stuff) and now it does not complain any more. I can't sort yet but that's probably something on my side, I'll keep investigating. Is it a known issue with jquery.tmpl? Thanx
rniemeyer
commented
7 years ago cool - you shouldn't need jquery.tmpl, if you are just using normal Knockout templating.
Is it possible (or will it be possible) to use the knockout-sortable plugin on websites which use the knockout-secureBindings plugin in order to be able to implement a strict Content Security Policy which do not allow "unsafe-eval"? At the moment it seems not possible. I have so far used the sortable without problems, but when I make the CSP stricter (not allowing 'unsafe'eval') I get this error: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://code.jquery.com".