topic Is there a way to get the 3.x JS API to work with a Content-Security-Policy without the srcipt-src 'unsafe-eval' directive? in ArcGIS JavaScript Maps SDK Questions

Is there a way to get the 3.x JS API to work with a Content-Security-Policy without the srcipt-src 'unsafe-eval' directive?

GeraldGayowsky — Tue, 11 Jun 2019 16:34:44 GMT

Trying to get the ArcGIS JS API 3.28 to load in an environment with a Content-Security-Policy with the following

script-src 'self' 'https://js.arcgis.com/3.28' and the application will not load as it seem init.js fails the 'unsafe-eval' directive

init.js:14 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://js.arcgis.com/3.28/"
at new Function (<anonymous>)
at init.js:14
at init.js:38

Has anybody else tried using the api in such an environment and had success?

Re: Is there a way to get the 3.x JS API to work with a Content-Security-Policy without the srcipt-src 'unsafe-eval' directive?

MarkCederholm — Thu, 05 Sep 2019 20:58:27 GMT

The short answer is no.

The error you're showing is actually a Dojo error, which you can eliminate by configuring csp-restrictions. Unfortunately, ArcGIS API 3.x itself contains code that will be rejected by CSP without the 'unsafe-eval' tag. This isn't an issue with 4.x, so unless there's 3.x functionality you really need, you should consider going that route.

See this link for more info: https://community.esri.com/groups/geodev/blog/2019/09/05/content-security-policy-and-the-arcgis-api-for-javascript