Pivot in strict mode

snap · July 11, 2022, 9:06am

Hi Webix team,

We are webix/pivot pro users and CSP is enabled for our project. We have set window.webix_strict = true since in Strict mode Webix doesn’t use “eval”. But there is no such option present for Pivot due to which we are getting “Refused to execute inline event handler because it violates the following Content Security Policy directive”.

We are getting this error since in Pivot.js new Function is referenced .
function e(e, n) { return new Function(n.propertyName, n.methodName, n.contextName, "return " + t(e, n)); }

Any pointers on this ?

@Listopad @MariyaDemy @intregal @maksim

Dzmitry · July 12, 2022, 6:00pm

Hello @snap,

Could you please specify the version of the Pivot widget you are using? The updated Pivot (starting with version 9.0) does not make use of the eval() function, so you should not technically encounter this issue if your version is up-to-date.

snap · July 13, 2022, 11:30am

Hi @Dzmitry,
We are using @9.3.3 pro version. Yes eval is not used in Pivot but there is reference of new Funtion(), which is causing this CSP issue. We tried using ‘unsafe-inline’ too in our CSP but still same issue.
We are getting error on line number 3954 in pivot.js :
function e(e, n) { return new Function (n.propertyName, n.methodName, n.contextName, "return " + t(e, n)); }.

Dzmitry · July 15, 2022, 7:08pm

Hello @snap,

Yes, you are right, my bad. There is indeed a single new Function call within the Pivot engine. Unfortunately, there is no good alternative to this implementation, and this call is pretty much required for the core functionality of the Pivot component (without it, the aggregation and such won’t work at all). So, disabling it is not really an option.

As a potential solution, it is possible to move all the calculations done by the Pivot engine to the server. At the moment, while possible, such customization is not well-supported (you would need to manually override the Local service and modify the logic relating to the inner engine).

However, we are planning on adding the option to enable external processing within the Pivot component in the nearest future (similar to the externalProcessing option from our old Pivot). In this mode, the Pivot will be used to display the data, while all the calculations will be done on the server (basically, the component expects to receive the fully aggregated data in this case).