Our current CSP configuration does not allow ‘unsafe-inline’,
Details as below :
Applying inline style violates the following Content Security Policy directive ‘style-src ‘self’ *.walkme.com’. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-X8m1jazaelGoMn55/aDbCPtvvNI5DY9S4YuS2+X3Q9g=’), or a nonce (‘nonce-…’) is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the ‘unsafe-hashes’ keyword is present. The policy is report-only, so the violation has been logged but no further action has been taken.
Regarding CPS, the need for “unsafe-eval” can be disabled with the help of the “strict” mode option, which doesn’t make use of eval and dynamic code generation for templates and date formatting. How to enable this mode is described here: strict of env, Others Webix Docs .
However, unfortunately, “unsafe-inline” is currently required for elements stylizations and sizing in our library: the rendering of some elements is based (by their initial design) on calculating values and incorporating them into styles at runtime. The base values for skins involved in calculations are stored in JS. Therefore, CSP disallowing “unsafe-inline” in style-src will break elements rendering (this is so for the latest 11.4 Webix version and, accordingly, for the earlier versions).
Our dev.team is already aware about your request so they will investigate the possibilities for future updates to reduce dependency from “unsafe-inline” usage. Thank you for your report!
