Having javascript:void(0) causes an error when HTTP Header Content Security Policy "script-src 'self'" is used

[dstj]

I'm submitting a ...

[ ] bug report
[X] feature request
[ ] support request

Current behavior

When securing an application with the HTTP header Content Security Policy: script-src 'self' (meaning that only javascript originating from the same origin can run) using inline javascript:void(0) like in the datatable-pager on L13 for example causes the following error:

Chrome:

Refused to run the JavaScript URL because it violates the following Content Security Policy
directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'),
or a nonce ('nonce-...') is required to enable inline execution.

Edge:

CSP14312: Resource violated directive 'script-src 'self'' in Content-Security-Policy: inline script. Resource will be blocked.

Expected behavior All <a href="javascript:void(0)"> should be replaced by a simple <span>

Reproduction of the problem Have the Web Server respond with the HTTP Header Content-Security-Policy: script-src 'self'; and click on the pager buttons.

What is the motivation / use case for changing the behavior? Avoiding a noisy JavaScript error in the console.

Please tell us about your environment:

• Table version: 13.1.0

• Angular version: 6.1.7

• Browser: Chrome 69.0.3497.100 Microsoft Edge 42.17134.1.0

• Language: Typescript 2.9.2

[StillUpgrade]

🆙 Any news about this ?

[wj109s5]

So this is basically not going to be fixed

[gallivantor]

Can we get this PR merged? Without it, the pagination just doesn't work when Content-Security-Policy is applied to the website which is a major functional gap

[sainture]

Yes, pls merge this PR. We are also seeing the same issue.

[GJBisschop]

Would it be possible to merge this PR? We are also running into this. Many thanks in advance!