[Dojo-interest] Loading dojo with content security policy (CSP) without unsafe-eval

Dylan Schiemann dylan at dojotoolkit.org
Mon May 23 07:23:16 EDT 2016

In the current implementation, we had set it to be something that could
be configured for builds, but we were not really thinking this would be
a run-time configurable feature setting. We can revisit that decision.

Meanwhile, you could do something like this:

// app/has.js
define([ 'dojo/has' ], function (has) {
	has.add('csp-restrictions', true);
	return has;

And then in your configuration object, you can change the value for map
so that Dojo and other code picks up your extended form of has, except
for your extension module:

map: {
    '*': {
        'dojo/has': 'app/has'
    'app/has': {
        'dojo/has': 'dojo/has'

for more details on map configuration.


on 5/22/16, 18:54 (GMT-07:00) Jason Rivard said the following:
> I would like to load dojo/dijit on a page with a
> Content-Security-Policy header that does not include 'unsafe-eval'.
> When loading dojo.js from 1.11.1 without unsafe-eval enabled, I see
> the following error:
> -- copy ---
> dojo.js:348 Uncaught EvalError: Refused to evaluate a string as
> JavaScript because 'unsafe-eval' is not an allowed source of script in
> the following Content Security Policy directive: "script-src 'self'
> 'unsafe-inline' 'nonce-owFwutk2cD0/WB79vWfsXNlECBAxLaac' ".
> hasCache.host-browser @ dojo.js:348(anonymous function) @ dojo.js:1973
> test.js:93 Uncaught ReferenceError: require is not defined ...
> -- end copy --
> The 1.11 release notes have this section:
> -- copy --
> csp: A feature test, 'has("csp-restrictions")' was added for non-csp
> compliant code. Please set this feature test to true in order to run
> code that must be csp compliant.
> -- end copy --
> But I have no idea what this means, does the CSP above refer to
> 'content-security-policy' ? If so is this a flag somehow I need to
> set?  I tried setting this on the <script
> data-dojo-config="{csp-restrictions: true}" ..> dojo load statement
> but that didn't seem to do anything.  The dojo.js 'var eval_' section
> near line dojo.js:348 has a conditional that seems to avoid the eval()
> that I'm seeing in the error message, but I don't have any idea how to
> trigger the 'has("csp-restrictions")' conditional to make it avoid the
> eval().
> In my environment I can not modify/compile the dojo release code.
> So my questions is: is it possible to use unmodified/compiled
> dojo/dijit on a page where the Content-Security-Policy is prohibiting
> unsafe-eval() ?
> Thanks!

More information about the Dojo-interest mailing list