React is currently incompatible with sites that enable a Content Security Policy:
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'". [1]
From some quick testing, there appears to be only one place in React currently preforming evaluation from a string: https://github.com/facebook/react/blob/master/src/environment/ExecutionEnvironment.js#L39
- global: new Function('return this;')()
+ global: function() { return this; }()
This one-off is easy enough to fix in a single pull request that I'll gladly submit. However, I'm uneasy deploying React on a CSP-enabled site without a bit of integration testing and an understanding of whether CSP incompatibility issues even qualify as bugs. What's the official stance on React+Content-Security-Policy?
[1] https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#usage
React is currently incompatible with sites that enable a Content Security Policy:
From some quick testing, there appears to be only one place in React currently preforming evaluation from a string: https://github.com/facebook/react/blob/master/src/environment/ExecutionEnvironment.js#L39
This one-off is easy enough to fix in a single pull request that I'll gladly submit. However, I'm uneasy deploying React on a CSP-enabled site without a bit of integration testing and an understanding of whether CSP incompatibility issues even qualify as bugs. What's the official stance on React+Content-Security-Policy?
[1] https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#usage