Reputation: 1342
Our application is being updated to comply with new CSP (Content Security Policy) rules.
E.g. Inline event handlers are replaced with addEventListener()
, and inline styles replaced with CSS.
However, in some instances document location is set to a javascript expression, like so...
document.location = 'javascript:someFunction()';
...which causes the following error...
"Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline'
My question: What is an equivalent way of re-writing this so that it complies with CSP rules?
Upvotes: 0
Views: 735
Reputation: 1305
It is blocked by unsafe-inline
. Please consider either:
someFunction()
returns an valid URI, you can write document.location = someFunction();
as @ControlAltDel mentions.someFunction()
.Upvotes: 1