-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use ko.sortable with ko.secureBindings (to avoid 'unsafe-eval') #177
Comments
Here is a basic fiddle with knockout-secureBindings on: https://jsfiddle.net/rniemeyer/nxcdn69c/. Can you describe a bit how to best test it out? I am trying the "CSP Tester" extension for Chrome, but not sure that I am configuring it correctly. |
Thanks for the feedback. To configure Content Security Policy I specify this in the web.config (C# web project): I reproduced the fiddle on a simple "test.html" page on my dev machine and it worked. |
cool - you shouldn't need |
Is it possible (or will it be possible) to use the knockout-sortable plugin on websites which use the knockout-secureBindings plugin in order to be able to implement a strict Content Security Policy which do not allow "unsafe-eval"?
At the moment it seems not possible. I have so far used the sortable without problems, but when I make the CSP stricter (not allowing 'unsafe'eval') I get this error:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://code.jquery.com".
The text was updated successfully, but these errors were encountered: