We have a Jasper Server integration using Visualise.js. One of our customers is asking for stricter Content Security Policy, in particular the removal of unsafe-eval and unsafe-inline from the CSP. Visualise.js can not run without unsafe-eval because of code like the one below:
__visualize__.define("visualize/loader/core/util/helper", ["require", "exports", "module"], function(e, t, i) {
i.exports = {
serverSettings: function(e) {
var t = e.match(/<script[^>]*>([^<]*)<\/script>/)[1];
return new Function(t + "return __jrsConfigs__;")()
},
loaderConfig: function(e) {
return new Function("requirejs","return " + e)({
config: function(e) {
return e
}
})
}
}
})
There are about 30 places in visualise.js that can not run without unsafe-eval.
Guest
| Components | JasperReports Server, Visualize.js |
Thank you for bringing this to our notice, we will look into this.