Breeze JS errors with Content Security Policy

0
votes

With Breeze JS and a strict Content Security Policy I get the error Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive.

Is there a way to fallback without 'unsafe-eval' the same way AngularJS does with https://docs.angularjs.org/api/ng/directive/ngCsp?

1
breezecontent-security-policy
Can you tell, from where in Breeze the error is thrown?Steve Schmitt
function t(e) { var t = e.name.replace(/\W/g, "_"); return Function("return function " + t + "(){}")() } The return line is where it errors. That's the formatted minified code.mgrowan

1 Answers

3
votes

Breeze uses Function(string) in order to make constructor functions for entities that have the same name as the entity. This is purely to make debugging easier, and is not an essential feature.

It should be possible to remove the reliance on Function(string) in the next version of Breeze. In the meantime, you can patch your version using:

function createEmptyCtor(type) {
    return function(){};
}

Or minified as in your comment above:

function t(e) { return function(){}; }