Is there a way to get the 3.x JS API to work with a Content-Security-Policy without the srcipt-src 'unsafe-eval' directive?

06-11-2019 09:34 AM
New Contributor

Trying to get the ArcGIS JS API 3.28 to load in an environment with a Content-Security-Policy with the following

script-src 'self' '' and the application will not load as it seem init.js fails the 'unsafe-eval' directive

init.js:14 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'"

at new Function (<anonymous>)
at init.js:14
at init.js:38

Has anybody else tried using the api in such an environment and had success?

0 Kudos
1 Reply
Regular Contributor II

The short answer is no.

The error you're showing is actually a Dojo error, which you can eliminate by configuring csp-restrictions.  Unfortunately, ArcGIS API 3.x itself contains code that will be rejected by CSP without the 'unsafe-eval' tag.  This isn't an issue with 4.x, so unless there's 3.x functionality you really need, you should consider going that route.

See this link for more info: 

0 Kudos