Content Security Policy `unsafe-eval` and `unsafe-inline` still required?

Question

Content Security Policy `unsafe-eval` and `unsafe-inline` still required?

joehuang-seismic opened this issue 6 months ago · comments

SystemJS Version: 6.10.2
Which library are you using?
- system.js
- s.js
- system-node.cjs
Which extras are you using?
- AMD extra
- Named Exports
- Named Register
- Transform
- Use Default
- Global
- Dynamic Import Maps
Are you using any custom hooks? Yes
- compiler.hooks.compilation.tap
  - compilation.hooks.afterOptimizeChunks.tap

Question

I saw from this old comment #2172 (comment) that SystemJS depends on unsafe-eval and unsafe-inline CSP to work, is this still the case? If so, are there any suggestions to accommodate the removal of those CSP rules? From what I've found, it looks like eval is still in use, and we still need to apply those unsafe CSP rules. Any insights would be greatly appreciated, thanks!

Guy Bedford · Answer 1 · Thu Jan 18 2024 12:39:55 GMT+0800 (China Standard Time)

SystemJS is very much CSP compatible, it's only when using the transform or fetch extras that this is not the case.