I would like to know if the new version 7.7 of Ext JS has resolved the issue of vulnerabilities with CSP headers. Specifically, I would like to know if "unsafe-eval" content security policy has been corrected
I have tried version 7.5 and the problem with "unsafe-eval" CSP still occurs.
On
Refer to the Use of eval function in Sencha Ext Js -
Static scans of applications developed with Ext JS framework often report a “high severity” warning on the use of eval function when using 3rd party vulnerability analysis tools (e.g., Veracode, CheckMarx). The reported flaws point to the use of eval() or globalEval() in the Ext JS codebase. The tools typically flag such calls since a malicious user can plague the input data to the function causing unintended behavior. Ext JS versions flagged: 4.x, 5.x, 6.x, 7.x
https://docs.sencha.com/extjs/7.7.0/guides/other_resources/use_eval_func.html
On
Looks like Sencha is avoiding talk about this "issue" because there is no way to run ExtJs (even 7.7) without unsafe CSP directives and they does not seem to have any intention to change it. I understand the text mentioned by Devendra, talking about eval() function, is related to, but does not tell the hole history of CSP unsafe-eval and unsafe-inline.
The solutions seen to accept it as is or move to another framework, what can be close to impossible in most situations.
No, even 7.7 version is not strict CSP compatible. Why? because it uses 'eval' to parse template strings.
However you can read the official Sencha statement on the same - https://docs.sencha.com/extjs/7.7.0/guides/other_resources/use_eval_func.html