survey-library: Content Security Police compatibility broken
Are you requesting a feature, reporting a bug or ask a question?
The newest release 1.0.2 broke the compatibility with Content Security Police (CSP) which forbids the use of inline Javascript and the use of “eval()” function.
What is the current behavior?
Browser refuses to execute Javascript. Survey is not showing up at all.
What is the expected behavior?
Everything works as it was with 1.0.1.
How would you reproduce the current behavior (if this is a bug)?
Inject a CSP for testing purpose. Add to HTML Head:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self';">
Provide the test code and the tested page URL (if applicable)
Tested page URL: Press F12 to open your javascript console! SurveyJS 1.0.2 (broken): https://iq4s-2.hci.uni-hannover.de/tmp/index.php?id=4ff93b77 SurveyJS 1.0.1 (working): https://iq4s-2.hci.uni-hannover.de/master/index.php?id=4ff93b77
Test code not needed.
Specify your
- browser: Google Chrome
- browser version: 63
- surveyjs platform (angular or react or jquery or knockout or vue): jquery
- surveyjs version: 1.0.2
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 2
- Comments: 21 (13 by maintainers)
Commits related to this issue
- Removed commentText property from expression question #877 — committed to surveyjs/survey-library by gologames 4 years ago
@gawielgo survey-angular is a wrapper over the survey-knockout package. We have a native angular implementation out of the box in our plans, but not exactly right now
Our roadmap for the nearest future was announced by @andrewtelnov here - https://github.com/surveyjs/survey-library/issues/2756#issuecomment-967461460
After SurveyJS Creator V2 we plan to start work on native Angular implementation (latest Angular). Unfortunately we can’t promise you the exact timeframe.
@ozatski Yes, we’ve not changed this behavior.