Improve security of Javascript Client API: no eval or inline code
While implementing the security advice of adding the HTTP Header Content-Security-Policy, I found out that the Mendix application can only function properly when it has the flags 'unsafe-inline' 'unsafe-eval' for script source configured.
Please improve the security of the Javascript Client API by removing the default inline code and by averting the usage of the eval() function.
Then we make all Mendix applications a bit more safe!
__
Some background info:
Configuring the CSP HTTP Header in a Mx Cloud v4 environment:
Without the ‘unsafe-inline’ flag, you would get an error like below, because the dojoConfig variable is configured by default in an inline <script> snippet on your index HTML page.
Without the ‘unsafe-eval’ flag, you would get an error like below, because the eval() function is used frequently in the mxclientsystem/mxui.js
As you said, some third-party application no longer work out of the box. Configuring CSP very much depends on what third-party applications you use in your application and is thus not something that can be configured out of the box.
I consider applying this solution to an existing project. Is there a reason why Mendix doesn't use this by default in their code? Are there any risks or consequences involved?
I understand that some third-party applications no longer work if you make the CSP headers stricter, but this also applies to using the new dojo config without changing the CSP headers?
We actually have a guide on how to set up CSP for Mendix without unsafe-inline: https://docs.mendix.com/howto/security/using-mobile-capabilities/csp/