script-src:'unsafe-inline' is required in SCP header because of href="javascript:void(0)"

[jwesselink]

script-src 'unsafe-inline' is required in the Content-Security-Policy header because of href="javascript:void(0)" generated by Carbon. See for an example: https://github.com/IBM/carbon-components-angular/blob/master/src/ui-shell/header/header-menu.component.ts#L76

This resulted in a low priority issue in a security audit.

There are probably better and safer ways to generate an empty href without requiring inline javascript.

Detailed description

Is this a feature request (new component, new icon), a bug, or a general issue?

general issue

Is this issue related to a specific component?

header-menu for example, but probably more components use inline javascript

What did you expect to happen? What happened instead? What would you like to see changed?

To not use inline javascript, so we can use a more secure Content-Security-Policy

What browser are you working in?

Chrome and IE11

What version of the Carbon Design System are you using?

Latest

[makandre]

I was running into this too. But then I realize you can just set the href attribute to # on the header element to override the default javascript:void(0)

[Akshat55]

@jwesselink @SebTardif @makandre This was addressed a few PRs ago... If you go to https://github.com/IBM/carbon-components-angular/blob/master/src/ui-shell/header/header-menu.component.ts#L76, you'll see that the default value of href has been set to #. If href equals #, then we preventDefault the click event.