Handlebars.js: Content Security Policy header is not supported

Created on 15 May 2018  路  8Comments  路  Source: handlebars-lang/handlebars.js

This library is not working with CSP header (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src). Are there any chances that library will work with it?

docs-needed

All 8 comments

Could you clarify that? What exactly is not working?

I should set 'unsafe-eval' to use handlebars woth CSP header. I think this is bad practice for app security.

Also I found 'unsafe-eval' is not necessary if I use precompiled templates, so I think you can close this ticket.

I understand now. Of course, the compiler does generate code dynamically (like eval()). In this case, you have to precompile the templates. This would be worth documenting...

I'm experiencing the same issue. I'm dynamically generating a preview of a user generated template in a textarea. So the propose precompile templates method isn't a viable solution. Any help would be much appreciated.

I'm sorry, but I really don't know what to do about this. Either there is a way to compile code despite of these header. Or it won't work with Handlebars.

The fact that Handlebars compiles its templates is the core concept. Everything is built around it.
You might be lucky with other libraries like incremental-bars or glimmer.

Or you might just write your own renderer based on the Handlebars AST. You probably need to write a custom visitor that does not create compiled code, but directly renders the template.

This could be a lot of work, but it is the only way that I can see to prevent Handlebars from creating dynamic code.

Thanks @nknapp, i ended up using mustache.js since my use case didn't required any handlebars specific features.

Hello, i have this error : "Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive" using Handlebars. My policy in the CSP is not allowing the eval use (best practice for preventing XSS), and this happen in your project. Do you have any idea if you are going to change this so the Handlebars project will suport CSP? Thanks in advance for the response.

I had the idea of rewriting handlebars so that it doesn't compile code to JavaScript anymore, but instead uses the AST directly. It would be interesting to see how it performs. But it is a lot of work. I probably don't have the resources to do it, as you can see by the time it takes to respond to this issue.

On the other hand, I have the strong opinion that there are very few use cases where Handlebars should be used in the browser. Compiling templates in the browser on a production system is even worse. The only real use-case I can imagine is that you want to show a ouput-preview of a template that is edited by the user in the browser.

In all other situations, you should pre-compile your templates or reflect on your choice of framework. The installation documentation has a page about alternatives, if you just want to build a single-page-app.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

snimavat picture snimavat  路  5Comments

ustun picture ustun  路  6Comments

janus-reith picture janus-reith  路  3Comments

LengYXin picture LengYXin  路  3Comments

stevenvachon picture stevenvachon  路  7Comments