Is there a way to get the 3.x JS API to work with a Content-Security-Policy without the srcipt-src 'unsafe-eval' directive?

684
1
06-11-2019 09:34 AM
GeraldGayowsky
New Contributor

Trying to get the ArcGIS JS API 3.28 to load in an environment with a Content-Security-Policy with the following

script-src 'self' 'https://js.arcgis.com/3.28' and the application will not load as it seem init.js fails the 'unsafe-eval' directive

init.js:14 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://js.arcgis.com/3.28/"

at new Function (<anonymous>)
at init.js:14
at init.js:38

Has anybody else tried using the api in such an environment and had success?

0 Kudos
1 Reply
MarkCederholm
Regular Contributor II

The short answer is no.

The error you're showing is actually a Dojo error, which you can eliminate by configuring csp-restrictions.  Unfortunately, ArcGIS API 3.x itself contains code that will be rejected by CSP without the 'unsafe-eval' tag.  This isn't an issue with 4.x, so unless there's 3.x functionality you really need, you should consider going that route.

See this link for more info: https://community.esri.com/groups/geodev/blog/2019/09/05/content-security-policy-and-the-arcgis-api-... 

0 Kudos