We are using SmartClient v131p_2025-10-18_Enterprise. Currently in the CSP response header, we have script-src 'self' 'unsafe-inline' 'unsafe-eval', it means that inline javascript and inline javascript method call like eval() and setTimeout(). We must remove unsafe-inline and unsafe-eval in the header. Does the SmartClient use inline javascript or inline javascript method call?
-
-
CSP policies such as unsafe-eval do not apply to component-based development with systems like SmartClient - they are, at best, marginally useful for inexperienced developers doing direct-to-DOM coding in simple web sites (not web applications).
If these policies were supported by SmartClient, the effect would be to cripple and slow down the framework, with no increase in security.
If you must support CSP, it is possible to deliver a version of SmartClient that can run in a crippled mode under this setting. This would be a quite expensive initial cost and then a raised ongoing cost for support as well, but let us know if you want to pursue this.
More background here:
https://forums.smartclient.com/forum...ion#post264275
Comment