As a security administrator I would like the PrizmDoc viewer client to be Content Security Policy compliant so that I can reliably prevent cross-site scripting(XSS) attacks
Customer is looking to add security to their application using Content Security Policies but the way PrizmDoc uses the underscore.js makes it non-compliant and the viewer cannot render while the following Content Security policy directive is being enforced:
<meta http-equiv="Content-Security-Policy" content="script-src 'self'" />
This feature shipped in version 12.2.
Attachments Open full size
Here's some info from lodashs github:
https://github.com/lodash/lodash/issues/832
Attachments Open full size
The major thing making us not CSP compliant appears to be that we use _.template(), if we could avoid that somehow we would be compliant.
Attachments Open full size