Trying to get the ArcGIS JS API 3.28 to load in an environment with a Content-Security-Policy with the following
script-src 'self' 'https://js.arcgis.com/3.28' and the application will not load as it seem init.js fails the 'unsafe-eval' directive
at new Function (<anonymous>)
Has anybody else tried using the api in such an environment and had success?
The short answer is no.
The error you're showing is actually a Dojo error, which you can eliminate by configuring csp-restrictions. Unfortunately, ArcGIS API 3.x itself contains code that will be rejected by CSP without the 'unsafe-eval' tag. This isn't an issue with 4.x, so unless there's 3.x functionality you really need, you should consider going that route.
See this link for more info: https://community.esri.com/groups/geodev/blog/2019/09/05/content-security-policy-and-the-arcgis-api-...