Bumpy
Bumpy

Reputation: 1342

CSP with javascript in "document.location"

Our application is being updated to comply with new CSP (Content Security Policy) rules.

E.g. Inline event handlers are replaced with addEventListener(), and inline styles replaced with CSS.

However, in some instances document location is set to a javascript expression, like so...

document.location = 'javascript:someFunction()';

...which causes the following error...

"Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 

My question: What is an equivalent way of re-writing this so that it complies with CSP rules?

Upvotes: 0

Views: 735

Answers (1)

user-id-14900042
user-id-14900042

Reputation: 1305

It is blocked by unsafe-inline. Please consider either:

  1. If someFunction() returns an valid URI, you can write document.location = someFunction(); as @ControlAltDel mentions.
  2. If it does not, you can just call someFunction().

Upvotes: 1

Related Questions