Bumpy
Reputation: 1342
CSP with javascript in "document.location"
Our application is being updated to comply with new CSP (Content Security Policy) rules.
E.g. Inline event handlers are replaced with addEventListener(), and inline styles replaced with CSS.
However, in some instances document location is set to a javascript expression, like so...
document.location = 'javascript:someFunction()';
...which causes the following error...
"Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline'
My question: What is an equivalent way of re-writing this so that it complies with CSP rules?
Upvotes: 0
Views: 735
Answers (1)
user-id-14900042
Reputation: 1305
It is blocked by unsafe-inline. Please consider either:
- If
someFunction()returns an valid URI, you can writedocument.location = someFunction();as @ControlAltDel mentions. - If it does not, you can just call
someFunction().
Upvotes: 1
Related Questions
- how to add Content Security Policy (CSP)
- Content Security Policy bypass
- Content security policy including a script
- CSP issue in firefox
- CSP - allowing my own scripts from given directory
- Javascript bookmarklet on site with CSP in Firefox
- What is the correct way to load a script with the 'strict-dynamic' CSP directive?
- Enabling CSP policy causing javascript on frontend to NOT send cookies and referrer header?
- Does CSP require "use strict"
- JavaScript - window.location - Permission Denied - Cross Site Scripting