Hi, we are currently integrating the mupdf web viewer into our application and we are encountering 2 Content Security Policy (CSP) issues.
1. It appears that your current minified build has a line where a function is created from a string. I’ve attached a screenshot of this. This triggers a CSP violation unless we enable the ‘unsafe-eval’ directive, which we cannot do for security reasons. Is there a workaround for this?
2. The library appears to create an iframe with inline tags, these are also blocked by our CSP. To allow these to run we would need a configuration option to pass a nonce hash to them. Is there a way to do this already that I have missed or would it be possible to add this?
Hi @IsaacWebber welcome to the forum and thanks for the post. Could you supply the screenshot, for some reason it wasn’t attached. I’ll chase up these issues with our WebViewer engineering team.
Thanks for the reply, that’s my bad here is the screenshot
Also worth noting that we’ve also noticed we are getting similar CSP issues with inline event listeners as well.
@IsaacWebber It looks like for us to be able to adhere to your CSP that we might need to find some way of injecting a nonce into all the inline JS at build time.
Can you confirm that your CSP is something like this:
Content-Security-Policy: default-src ‘self’; script-src ‘self’;
Hi, our CSP is Content-Security-Policy “script-src ‘nonce-$request_id ‘strict-dynamic’;” the nonce is generated per page load as stated here HTML nonce global attribute - HTML | MDN and so injecting this at build time wouldn’t work. So we would need a way of passing it in at runtime. This will solve the issue with the unsafe inlines.
The other issues with the unsafe evals & and inline event listeners would have to be moved into the scripts with the nonces so they are marked as safe to run.
Okay - thanks for the info - we will look into this further.