CSP Build for 3.15.1 breaks functions like Math.max #4700
-
|
As per the CSP docs, global variables and functions should work when using the CSP build, e.g. As of v3.15.1, these globals no longer work. This seems to be a result of this commit @joshhanley Whether or not this is intended, it is a surprising breaking change for a patch version. CodePen here: https://codepen.io/Simon-Jarrett-the-decoder/pen/MYKdPWd Side note: the release notes reference |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Sorry about that. We've realized that allowing globals defeats the entire purpose of the CSP build and allows people do execute dangerous code in their expressions that gets them around CSP blocks. They can access your nonce and inject their own javascript using globals. We realize this is surprising and not ideal, but this really is a hard constraint. We recommend that you extract anything that needs a global into a function or other form of abstraction. Sorry, thanks for understanding. |
Beta Was this translation helpful? Give feedback.
Sorry about that. We've realized that allowing globals defeats the entire purpose of the CSP build and allows people do execute dangerous code in their expressions that gets them around CSP blocks. They can access your nonce and inject their own javascript using globals.
We realize this is surprising and not ideal, but this really is a hard constraint.
We recommend that you extract anything that needs a global into a function or other form of abstraction. Sorry, thanks for understanding.