Serenity Software
Replies: 1 comment
-
|
dynjs needs to be executed for load lookup scripts etc. For this you can override jquery globalEval for handle scripts. there is an example but I didn't tried this on any project. I can't guarantee it's works as expected. It's loads requested scripts in html and when you load too much scripts, your page will have performance issues. But also it's gives you an idea for how you handle this. $.globalEval = (data) => {
let element = document.getElementById("dynjs");
if (!element) {
element = document.createElement("script");
element.id = "dynjs";
}
element.innerHTML += data;
document.body.append(element);
} |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello, I am trying to enforce CSP best practices, according to the following links:
https://owasp.org/www-community/controls/Content_Security_Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Main roadblock right now is related to the fact that Serenity uses the Jquery Global eval function everywhere in the app from their Q.ScriptData namespace in javascript. This will prevent implementing a sound Content Security Policy for scripting.
Q.ScriptData
success: function (data, textStatus, jqXHR) {
$.globalEval(data);
},
which is what the policy tries to prevent.
Is there any way to remediate this security issue? Am I missing something?
What do you think?
Thank you, Jose
Beta Was this translation helpful? Give feedback.
All reactions