Hi all,
At the moment we have implemented a Content Security Header policy for our Umbraco websites that is as strict as possible.
Unfortunately we have to add the “unsafe-inline” CSP header for each Umbraco website, because in the Umbraco backoffice javascript code the “eval” function is still used on several locations in the code base.
Our security officers are –of course- not happy with this situation.
And we developers have to explain, after each security test, the reason for this “unsafe-inline” CSP header.
I had a short email conversation with Shannon about this. Following his suggestion I just looked at the current Umbraco 8 source code. And unfortunately there are still several javascript files that use the eval function:
- Umbraco-CMS-temp8\src\Umbraco.Web.UI.Client\lib\umbraco\NamespaceManager.js
- Umbraco-CMS-temp8\src\Umbraco.Web.UI.Client\src\common\directives\components\forms\fixnumber.directive.js
- Umbraco-CMS-temp8\src\Umbraco.Web.UI.Client\src\common\directives\components\forms\hotkey.directive.js
- Umbraco-CMS-temp8\src\Umbraco.Web.UI.Client\src\common\directives\util\konami.directive.js
- Umbraco-CMS-temp8\src\Umbraco.Web.UI.Client\src\common\directives\validation\valserver.directive.js
- Umbraco-CMS-temp8\src\Umbraco.Web.UI.Client\src\common\services\localization.service.js
- Umbraco-CMS-temp8\src\Umbraco.Web.UI.Client\src\common\services\navigation.service.js
- Umbraco-CMS-temp8\src\Umbraco.Web.UI.Client\src\controllers\navigation.controller.js
- Umbraco-CMS-temp8\src\Umbraco.Web.UI\Umbraco\webservices\ajax.js
According to the Mozilla javascript reference:
So, what is your opinion about this as Umbraco developers?
Should we/Umbraco strive to ban the “eval” function from its code base?
And will this be possible?
This is a companion discussion topic for the original entry at https://our.umbraco.com/forum/94307-removing-the-need-for-javascript-eval-function-is-it-possible-and-desirable