v4 Modal transition (fade) violates CSP (script-src 'unsafe-inline')

Question

v4 Modal transition (fade) violates CSP (script-src 'unsafe-inline')

Closed this issue 8 years ago · 3 comments

Modals with the .fade class trigger an error on show, causing the modal to fail to show and scripts to stop working requiring a page reload. This wasn't a problem in v3 and seems to be caused by the reflow function trying to eval() and inject javascript in the page.

Using branch v4-dev in a Meteor app.

Answer 1 · 2015-10-18T18:09:56.000Z

This is the cause of the problem (in util.js):

reflow: function reflow(element) {
  new Function('bs', 'return bs')(element.offsetHeight);
},

I'm trying to figure an alternative way to access the proper global object, without using the function constructor, unless you want to classify this as WontFix as well.

Answer 2 · 2015-10-18T18:18:20.000Z

I wonder, wouldn't something like this cause a reflow without creating a new function?

reflow: function reflow(element) {
  return element.offsetHeight;
},

Answer 3 · 2015-10-18T20:43:12.000Z

That strange coding style might be a remnant from earlier drafts of v4 which used the Google Closure compiler, presumably to prevent that function from being optimized away completely.
CC: @fat