Use ko.sortable with ko.secureBindings (to avoid 'unsafe-eval')

[mirkolugano]

Is it possible (or will it be possible) to use the knockout-sortable plugin on websites which use the knockout-secureBindings plugin in order to be able to implement a strict Content Security Policy which do not allow "unsafe-eval"? At the moment it seems not possible. I have so far used the sortable without problems, but when I make the CSP stricter (not allowing 'unsafe'eval') I get this error: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://code.jquery.com".

[rniemeyer]

Here is a basic fiddle with knockout-secureBindings on: https://jsfiddle.net/rniemeyer/nxcdn69c/.

Can you describe a bit how to best test it out? I am trying the "CSP Tester" extension for Chrome, but not sure that I am configuring it correctly.

[mirkolugano]

Thanks for the feedback. To configure Content Security Policy I specify this in the web.config (C# web project): <system.webServer> <httpProtocol> <customHeaders> <add name="Content-Security-Policy" value="script-src 'self' https://code.jquery.com"></add> </customHeaders> </httpProtocol> </system.webServer>

I reproduced the fiddle on a simple "test.html" page on my dev machine and it worked. I then added to that test page all the scripts I use in my app and it didn't work any more. I then removed the scripts one by one and the one causing problems was jquery.tmpl. I removed it from my app (not sure I need it anymore, maybe some old stuff) and now it does not complain any more. I can't sort yet but that's probably something on my side, I'll keep investigating. Is it a known issue with jquery.tmpl? Thanx

[rniemeyer]

cool - you shouldn't need jquery.tmpl, if you are just using normal Knockout templating.