Content Security Policy with google closure

139 views Asked by At

I am trying to enable CSP for my web application. My policy is something like:

"default-src 'self' gap: cdvfile:;"

I am using google closure for javascript. However without javascript optimization, My js is blocked because of :

goog.json.parse uses eval()

If I compile my code with closure compiler, there is no issue as in advance compile, eval() is not used. (JSON.parse is used)

I know, as a workaround, I can use sha256-..... or nonce=.....

Is there any other way, I can use CSP without using sha.. or nonce...

1

There are 1 answers

1
Chad Killingsworth On

I believe if you add goog.json.USE_NATIVE_JSON = true; to your code that it won't use eval.