Non-inline JS

[ghost]

Currently in order to use yadcf with Content Security Policy one has to add the unsafe-inline policy due to the added on* attributes to the HTML (e.g. onchange). From what I understand adding unsafe-inline is suboptimal as it works around one of the nice safety features CSP provides

Would it be possible/feasable to use .on() or similar for filtering instead of inline script?

[vedmack]

I don't think it will be possible because most of the actions that are related to yadcf must happen before the actions of datatables and in most cases it will prevent from the original dt action to happen (filter instead of sort) any way, I think that there are more fine grained solutions rather then using the unsafe-inline, for example specifying the base64-encoded hash of the source code , see the following article / do additional research. Please update this thread in case you will use some other solution.

[ghost]

Thanks for the reply! Unfortunately hashes and nonces are limited to <script> tags and won't work for other elements. I've looked over the CSP specification and found unsafe-hashed-attributes which looks promising but is still a WIP: https://w3c.github.io/webappsec-csp/#unsafe-hashed-attributes-usage.

Perhaps if I hard-coded a list of the inline scripts yadcf generates this could work though is a bit beefy: one would have to compute hashes for every inline handler (including one for each table/column as the values differ slightly) but seems possible to do

[troysmith31]

I'm have the same issue. Any suggestions on a work around?

[stringfellow]

Plus one - any changes possible here?

[stringfellow]

I think #675 fixes this issue.

[vedmack]

I have merged @stringfellow PR, let me know how it works for you