CartLog In

Content Security Policy for BI Dashboard & Reporting — Say No To Unsafe JavaScript Evaluation!

Reporting Team Blog
Reporting Team Blog
RSS
09 January 2023

Hope you’re doing well. In this blog post, I’ll describe the latest CSP updates for both DevExpress Web Reporting and BI Dashboard components.

A Content Security Policy (CSP) is an additional layer of security built into most modern browsers. The CSP defines a list of policies or directives and initial values that determine which resources your site will allow or restrict. This allows the browser to recognize and mitigate certain types of attacks, such as Cross-Site Scripting (XSS) and data injection attacks. These attacks include, but are not limited to, data theft, page spoofing, and malware distribution.

Third-party libraries we use in our code rely on runtime function evaluation. As a result, our components require that the script-src 'unsafe-eval' CSP directive operates correctly. The directive enables script execution from a string on your page. In our most recent major update (v22.2), we modified our source code to refuse script execution on the client. As such, you no longer need to specify the script-src 'unsafe-eval' CSP directive.

With this update, you’ll need to specify the following Content Security Policy directives for web pages that host our Reporting and BI Dashboard components:

Minimum required directives for Reporting

default-src 'self';
img-src data: https: http:;
script-src 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
worker-src 'self' blob:;
frame-src 'self' blob:

Minimum required directives for BI Dashboard


default-src 'self'; 
img-src data: https: http:;
script-src 'self' 'unsafe-inline'; 
style-src 'self' 'unsafe-inline';

Documentation

Please refer to the following help topics to learn more about Content Security Policy support in our Reporting and BI Dashboard components:

Your Feedback Counts

Please complete the short survey below to help shape future development in this area:

Free DevExpress Products - Get Your Copy Today

The following free DevExpress product offers remain available. Should you have any questions about the free offers below, please submit a ticket via the DevExpress Support Center at your convenience. We'll be happy to follow-up.
Margarita Zakhodyaeva Margarita (DevExpress)
Tags

Recent Posts

Reporting — Tagged (Accessible) PDF Export Enhancements (v23.2)
2 days ago by Margarita (DevExpress)
Reporting — Create Reports in Node.js Apps via .NET And WebAssembly Integration
Apr 17, 2024 by Boris Zaitsev (DevExpress)
DevExpress Reporting & BI Dashboard — Early Access Preview (v24.1)
Mar 27, 2024 by Dmitry Tokmachev (DevExpress)
DevExpress Reports & BI Dashboard — June 2024 Roadmap (v24.1) — Survey & Feature Preview Inside
Feb 13, 2024 by Dmitry Tokmachev (DevExpress)
Reporting — Display Page Watermarks by a Condition (v23.2)
Jan 29, 2024 by Margarita (DevExpress)