Closed MrKrabat closed 4 years ago
Thank you for the valueable feedback, @MrKrabat! This issue is related to the thing that we started to using in the Angular and jQuery libraries the Knockout core instead of React+preact. If you need the CSP compatibility, you can use the "survey-react" library as a workaround for now. We will discuss this issue with the team and update this thread as soon as we'll find a solution.
@MrKrabat Could you please describe your requirements in greater details, if it possible - what the real world application are you developing - a web site, an electron app, a Chrome extension, chrome app or something else? Probably you have other security requirements you can tell us about.
Thanks, we are developing a web site which allows employees of the institue to create surveys. We use SurveyJS to render a preview in our editor and to display the online surveys.
In general we have no special security requirements, but being CSP compatible and disable of inline-javascript and eval() should be standard for new applications today.
@MrKrabat Thank you for the information you provided. We understand CSP compatibility importance and we've included this feature in our task list. We'll update this thread as soon as we'll have some results.
Having the same issue with v1.0.60.
@ozatski Yes, we've not changed this behavior.
How high is making SurveyJS compatible with CSP on the task list at the moment? And is there a version of SurveyJS that is CSP compatible (in a comment it was stated that the react version was, but is this still the case)? I'm using the jquery version at the moment.
@Lionqueen94 No we've postponed this task at this moment
@Lionqueen94 But react version should still be SCP compatible.
Hi any updates on this issue? Is there a fix yet? I am facing the same issue.
@sabaansari86 You can use the survey-react library as I wrote earlier.
The problem is we are using the custom widgets from survey js taht have the knockout dependency. Also surveyjs itself has a dependency on knockout.
@sabaansari86 You can use the survey-react
library as I wrote earlier. The survey-react
library doesn't have knockoutjs dependency. Custom widgets are also doesn't use knockoutjs.
If it doesn't so please provide a live sample illustrating the issue.
The survey-react library still uses stylemanager and uses inline styles ... this really should not be closed until it is resolved surely!
@mattdeacon What's the problem with the inline styles and the styles manager?
hi guys, is there any possibility that the survey-angular will also be adapted?
@gawielgo survey-angular is a wrapper over the survey-knockout package. We have a native angular implementation out of the box in our plans, but not exactly right now
hi @tsv2013 , sorry if I ask you again...when you plan to release that version? if it's possible to know...
Our roadmap for the nearest future was announced by @andrewtelnov here - https://github.com/surveyjs/survey-library/issues/2756#issuecomment-967461460
After SurveyJS Creator V2 we plan to start work on native Angular implementation (latest Angular). Unfortunately we can't promise you the exact timeframe.
hi @tsv2013, there are news for survey-angular native???
@gawielgo We started to work on it in this branch - https://github.com/surveyjs/survey-library/tree/feature/3681-native-ng
Are you requesting a feature, reporting a bug or ask a question?
The newest release 1.0.2 broke the compatibility with Content Security Police (CSP) which forbids the use of inline Javascript and the use of "eval()" function.
What is the current behavior?
Browser refuses to execute Javascript. Survey is not showing up at all.
What is the expected behavior?
Everything works as it was with 1.0.1.
How would you reproduce the current behavior (if this is a bug)?
Inject a CSP for testing purpose. Add to HTML Head:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self';">
Provide the test code and the tested page URL (if applicable)
Tested page URL: Press F12 to open your javascript console! SurveyJS 1.0.2 (broken): https://iq4s-2.hci.uni-hannover.de/tmp/index.php?id=4ff93b77 SurveyJS 1.0.1 (working): https://iq4s-2.hci.uni-hannover.de/master/index.php?id=4ff93b77
Test code not needed.
Specify your