Improve security of Javascript Client API: no eval or inline code
While implementing the security advice of adding the HTTP Header Content-Security-Policy, I found out that the Mendix application can only function properly when it has the flags 'unsafe-inline' 'unsafe-eval' for script source configured.
Please improve the security of the Javascript Client API by removing the default inline code and by averting the usage of the eval() function.
Then we make all Mendix applications a bit more safe!
__
Some background info:
Configuring the CSP HTTP Header in a Mx Cloud v4 environment:
Without the ‘unsafe-inline’ flag, you would get an error like below, because the dojoConfig variable is configured by default in an inline <script> snippet on your index HTML page.
Without the ‘unsafe-eval’ flag, you would get an error like below, because the eval() function is used frequently in the mxclientsystem/mxui.js