I'm working on an app which is using dhtmlxSuite 4.2 and I was working on refactoring our code base in order to support Content Security Policy. For now, we are removing the 'unsafe-inline' and we are using a nonce to secure inline scripts.
Could you please provide some information regarding dhtmlx suite 4.2, does it support CSP and if yes, how can I configure it to support CSP using nonce? I was looking over internet but I'm not able to find any relevant documentation for this version.
Our script-src directive in CSP header is:
script-src 'self' 'strict-dynamic' 'unsafe-eval' 'nonce-r4nd0m'
I'm using the following line to add the dhtmlx .js files to the code:
<script nonce="r4nd0m" src="/dhtmlx/dhtmlxWindows/codebase/dhtmlxwindows.js">
The nonce and src values are not relevant, I've added them just for this example.
Currently the following error shows in browser:
`[Report Only] Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'unsafe-eval' 'nonce-xk0G314zlbshNaCyRmCZfqZNr3N8EEG3ZYSUkRvnfSs=
dhtmlXCellObject._detachObject|@|dhtmlxcontainer.js:1010
dhtmlXCellObject.unloadView|@|dhtmlxcontainer.js:356
dhtmlXCellObject._unload|@|dhtmlxcontainer.js:547
dhtmlXWindows._winClose|@|dhtmlxwindows.js:874
dhtmlXWindows._winButtonClick|@|dhtmlxwindows.js:1719
dhtmlXWindows._winMouseDownHandler|@|dhtmlxwindows.js:998
obj.callEvent|@|VM2422 dhtmlxcommon.js:929
_winOnMouseDown|@|dhtmlxwindows.js:259`
My understanding is that dhtmlx in creating some inline events causing to be non compliant with CSP. I'm expecting to find a way to have dhtmlx suite 4.2 compliant with CSP filter.
Below is some some extract from the dhtmlx code base where from he stack trace: enter image description here enter image description here
Thank you!
