Cannot Update Content Security Policy

[jax-2220]

Hi,

I am currently trying to update the content security policy to not include unsafe-inline or unsafe-eval. I have included necessary domains in the CSP but it is not working as expected. Is there a standard process for updating CSP for lex-web-ui and can you give us some insight on how to remove unsafe-inline and unsafe-eval when running/deploying the application with webpack?

Thanks!

[atjohns]

The CSP is located in the index.html page, you'll want to remove them from there directly. If you build/deploy from webpack after making those changes it should get pushed out to your implementation of the web ui.

[jax-2220]

We have already updated the CSP successfully, but we are unable to load our application without unsafe-inline/unsafe-eval. Do you have any guidance on what needs to be included in our CSP if we need to remove unsafe-inline/unsafe-eval? We have already included our needed domain.

[atjohns]

The VueJS requires the unsafe-eval to function (it appears the runtime version - vue.runtime.global.prod.min.js - is fully CSP compatible but I was never able to get that to work properly, we use the vue.global.prod.min.js).

Vuetify used to required unsafe-inline but it appears you can use a nonce now, I will look into doing that for the next release so we can remove unsafe-inline.