Skip to main content
BuyLog In
.NET Reporting Tools
Search in…
Docs > Reporting for Web > Reporting for React > Content Security Policy (CSP)
All docs
V25.1
Reporting
Product Information
What's New
.NET Support
Get Started with DevExpress Reporting
Create Different Report Types (Walkthroughs)
Detailed Guide to DevExpress Reporting
Memory Usage in Reporting - Best Practices
Localize Reporting Applications
Security Considerations
AI-powered Extensions
Visual Studio Report Designer
VS Code Report Designer
Reporting for Desktop
Reporting for .NET MAUI
Reporting for Web
Common Features
Document Viewer for Web
End-User Report Designer for Web
Standalone Report Parameters Panel for Web
Web UI Development Bundles that Include Reports
Reporting for Blazor
Reporting for ASP.NET Core
Reporting for Angular
Reporting for React
Document Viewer
Report Designer
Standalone Report Parameters Panel
Content Security Policy (CSP)
Reporting for Knockout-based Applications
Reporting for Vue
Reporting for ASP.NET MVC
Reporting for ASP.NET Web Forms
Version Upgrade Guide
Troubleshooting
Reporting .NET Migration Guides
Cloud Integration
.NET Aspire Integration
Cross-Platform .NET App UI
Backend Web API Service / REST API for Reporting
WCF Report Service
End-User Documentation
Redistribution and Deployment
API Reference
ASP.NET Core API Reference
Blazor API Reference
Client API Reference
Client API Reference (Web Forms & MVC)
Download CHM

DevExpress v25.1 Update — Your Feedback Matters

Our What's New in v25.1 webpage includes product-specific surveys. Your response to our survey questions will help us measure product satisfaction for features released in this major update and help us refine our plans for our next major release.

Take the survey Not interested

Content Security Policy for React Applications

  • 6 minutes to read
In This Article
Troubleshooting
Error: Refused to Evaluate a String as JavaScript
Application Contains Only Native Report Viewer for React
Application Contains Report Designer for React
Error: Refused to Apply Inline Style and Scripts

A Content Security Policy (CSP) is an additional layer of security built into most modern browsers. It allows the browser to recognize and mitigate certain types of risks, including Cross Site Scripting (XSS) and data injection attacks. These attacks include, but are not limited to, data theft, page spoofing, and malware distribution.

The CSP defines a list of policies/directives and initial values that specify which resources your site allows/disallows.

To enable CSP, specify a Content-Security-Policy header or use the <meta> tag to explicitly define authorized functionality with CSP directives.

The following meta tag specifies minimum required directives for DevExpress Reporting components:

html
<head>
<!--...-->
    <meta http-equiv="Content-Security-Policy" content="default-src 'self';
    img-src data: https: http:;
    script-src 'self';
    style-src 'self';
    connect-src 'self' http:my_backend_url;
    worker-src 'self' blob:;
    frame-src 'self' blob:;" />
<!--...-->
</head>
default-src 'self';
Fallback for other fetch directives.
img-src data: https: http:;
Allows components to load specific images and document pages.
script-src 'self';

Allows only scripts loaded from the same source as the current page protected with CSP.

The Knockout.js library requires the unsafe-eval source expression. For information on how to remove the unsafe-eval expression, refer to the following section: Error: Refused to Evaluate a String as JavaScript.

style-src 'self';
Allows the use of stylesheets from the same source as the current page protected with CSP. Specify other sources for stylesheets that are allowed (for example, 'https://fonts.googleapis.com/').
connect-src 'self' 'http:my_backend_url';
The my_backend_url value specifies the server endpoint. This is necessary for applications where client and server have different URLs.
worker-src 'self' blob:;
Required for printing.
frame-src 'self' blob: http:my_backend_url;
Required for printing. The my_backend_url value specifies the server endpoint. This is necessary for applications where client and server have different URLs.

#Troubleshooting

#Error: Refused to Evaluate a String as JavaScript

Certain Reporting components rely on the Knockout.js library. This library requires a unsafe-eval expression in the script-src directive. If the expression is missing, the following error occurs:

*Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script… *

Refer to the following sections depending on the Reporting Components used in your application.

Note

Application runs in debug mode may require additional permissions. For example, a debug session establishes a WebSocket connection to automatically reload your application on source code change. This mechanism may involve the use of unsafe JavaScript evaluation.

#Application Contains Only Native Report Viewer for React

The native Report Viewer for React does not rely on the Knockout.js library. React applications that use the Report Viewer component do not require the unsafe-eval expression in the script-src directive if all required types are imported from -native modules:

TypeScript
// Import from the aggregated module.
// import { fetchSetup } from '@devexpress/analytics-core/analytics-utils';
// Import from the native module.
import { fetchSetup } from '@devexpress/analytics-core/analytics-utils-native';

#Application Contains Report Designer for React

To remove the unsafe-eval source expression from the script-src directive, follow the steps below. These steps are specific to applications built with Vite, and may require adjustments depending on your project setup.

  1. Create a src/knockout_global.js file with the following content:

    js
    (function () {
window.eval = function (p) {
    if (p !== "this") {
        throw new Error("Invalid argument for eval. Only 'this' is allowed.");
    }
    return window; 
};
})();

  2. Reference the created file in the index.html page:

    html
    <!DOCTYPE html>
<html lang="">
<head>
    <!--...-->
</head>
<body>
    <div id="app"></div>
    <script src="/src/knockout_global.js"></script></head>
    <script type="module" src="/src/main.js"></script>
</body>
</html>

#Error: Refused to Apply Inline Style and Scripts

Depending on the framework/build tool used, the unsafe-inline expression may be required. If the expression is missing, the following error may appear in the browser console: Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-N2+pL/CTCJuYEGXM3p8y6xbRU0v1D1U8UcUh/uWdoGA=’), or a nonce (‘nonce-…’) is required to enable inline execution..

To remove unsafe-inline from the style-src directive, you may need to implement a nonce-based CSP. For more information refer to the documentation of framework or build tool, such as:

#Custom Templates Do Not Work

DevExpress Reporting custom templates are based on the Knockout JavaScript library. The Knockout library uses the data-bind attribute to render a value as follows: it generates a function as a JavaScript string and passes the string to the new Function constructor.

Knockout templates require the script-src 'unsafe-eval' CSP directive to function properly.

Important

We do not recommend the inclusion of the script-src 'unsafe-eval' directive in your content security policy. This directive may introduce a vulnerability as it enables script execution from a string on your page.

DevExpress Reporting stores JavaScript functions related to data-bind attributes in the cache, thus eliminating the need to run the script on the page. Our components do not need the ‘unsafe-eval’ directive.

Follow the steps below to use custom templates.

#Call the addToBindingsCache Function

To add a custom template to the function cache, call the addToBindingsCache function before the component is rendered. You can handle the BeforeRender event to call the function.

  • Example: DevExtreme Template

    <div data-options="dxTemplate: { name: 'content' }"></div>

  • Example: Knockout Binding

    <div data-bind="text: text, attr: { title: text }"></div>

#Use the CLI Utility

v22.2 and later ships with our @devexpress/analytics-core-cli CLI utility package. It includes the processBindings command. You can use this command to automatically generate a file with the code that calls the addToBindingsCache function to add your templates to the cache.

Run the following command to install the package:

console
npm i @devexpress/analytics-core-cli

To process custom templates, execute the following command:

console
node node_modules/@devexpress/analytics-core-cli/utils/processBindings <templates folder path> <result file path>

Command parameters are as follows:

templates folder path
A folder that contains template files (.HTML)
result file path
Path to the file being created

When prompted, select application type (Modules or Namespaces):

CLI Template Utility

The generated file contains JavaScript code that must be run in the DevExpress Reporting component’s BeforeRender event handler.