Product Ideas

As a PrizmDoc integrator I would like viewer-assets to be CSP complaint.

Specifically the files viewercontrol.js and underscore.min.js. These files contain the code "eval()" & "new Function()" which trigger an "unsafe eval" CSP error.

We would like to keep our project CSP compliant and not need to pass 'unsafe-eval' to the Content Security Policy in order to resolve this error.

  • Kito Middleton
  • Feb 2 2023
  • Already exists
  • Attach files
  • Mark Fears commented
    April 24, 2023 13:15

    The underscore.min.js "eval()" and "new function" complaints is something we already addressed in the CSP Compliance for Angular epic. We updated the viewer to no longer use underscore.min.js eval.

    Those changes went into PrizmDoc Viewer v13.22 released in Dec 2022. See release notes under version 13.22

    Security
    Updated the Viewer Content Security Policy. The Viewer HTML templates are no longer compiled during runtime, which required allowing script-src unsafe-eval in Content Security Policy. The Viewer now supports loading precompiled HTML templates. Uncompiled HTML template strings are still supported, but support will be removed in a future version. Instead of uncompiled HTML template strings, the Viewer build now outputs precompiled HTML templates as functions in the viewerCustomizations.js file. If you have customized HTML templates, build the Viewer, and use the viewerCustomizations.js output in your application, then before building the Viewer you will need to update your HTML templates to access all properties via a data object (for example, data.myProperty instead of myProperty). For more information please see the description of the Viewer template option.


    Please use the latest (v13.22 or later) client and and retest. If there is still an issue, provide Accusoft Support with a small sample or code snippet that we can use to replicate the CSP failures.

  • +2