Content Security Police compatibility broken

Are you requesting a feature, reporting a bug or ask a question?

The newest release 1.0.2 broke the compatibility with Content Security Police (CSP) which forbids the use of inline Javascript and the use of “eval()” function.

What is the current behavior?

Browser refuses to execute Javascript. Survey is not showing up at all.

What is the expected behavior?

Everything works as it was with 1.0.1.

How would you reproduce the current behavior (if this is a bug)?

Inject a CSP for testing purpose. Add to HTML Head: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self';">

Provide the test code and the tested page URL (if applicable)

Tested page URL: Press F12 to open your javascript console! SurveyJS 1.0.2 (broken): https://iq4s-2.hci.uni-hannover.de/tmp/index.php?id=4ff93b77 SurveyJS 1.0.1 (working): https://iq4s-2.hci.uni-hannover.de/master/index.php?id=4ff93b77

Test code not needed.

Specify your

• browser: Google Chrome
• browser version: 63
• surveyjs platform (angular or react or jquery or knockout or vue): jquery
• surveyjs version: 1.0.2