Content Security Policy blocked

[malz1987]

jquery-ajax-unobtrusive is blocked by CSP in line:
return Function.constructor.apply(null, argNames);
"Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'"."

In according to this site https://developer.mozilla.org/en-US/docs/Archive/B2G_OS/Firefox_OS_apps/Building_apps_for_Firefox_OS/CSP
The function constructor is banned

[mkArtakMSFT]

Thanks for contacting us, @szefik1987. One of our team members will look into it and get back to you.

[mkArtakMSFT]

@javiercn, can you please look into this and see what other options can be applied here?

[javiercn]

We can't do anything here. Essentially what the code is doing is building a function on the fly (a form of eval) that is being disallowed by CSP.
That form of eval is required for supporting writing expressions in the ajax related data-ajax-* attributes like data-ajax-begin, for example:

<form ... data-ajax-complete="$(this).hide()">
...
</form>

The alternative would require to either deprecate allowing expressions on the attributes or doing significant re-engineering to build all these expressions before-hand and emit proper functions for them on a script tag at the end of the page, which would likely, also have to be attributed with a nonce to bypass csp validation.

[mkArtakMSFT]

Closing this as the amount of work required to fix this is not worth the effort.

[KarsonAlford]

Related to Issue #49.