Product Ideas

As a security administrator I would like the PrizmDoc viewer client to be Content Security Policy compliant so that I can reliably prevent cross-site scripting(XSS) attacks

As a security administrator I would like the PrizmDoc viewer client to be Content Security Policy compliant so that I can reliably prevent cross-site scripting(XSS) attacks

Customer is looking to add security to their application using Content Security Policies but the way PrizmDoc  uses the underscore.js makes it non-compliant and the viewer cannot render while the following Content Security policy directive is being enforced: 

<meta http-equiv="Content-Security-Policy" content="script-src 'self'" />

  • Isaac Ramos
  • Jul 29 2016
  • Shipped
  • Attach files
  • Admin
    Mark Fears commented
    23 Mar, 2017 03:18pm

    This feature shipped in version 12.2.

  • Josh Letcher commented
    19 Oct, 2016 07:25pm

    Here's some info from lodashs github: 

    https://github.com/lodash/lodash/issues/832

  • Josh Letcher commented
    19 Oct, 2016 05:00pm

    The major thing making us not CSP compliant appears to be that we use _.template(), if we could avoid that somehow we would be compliant. 

  • +2