Skip to main content
T
Tom.Walker
Participating Frequently
May 12, 2021
Answered

Content-Security-Policy 'unsafe-eval' error message on generated Javascript

  • May 12, 2021
  • 3 replies
  • 2640 views

We use RoboHelp 2019 to author WebHelp content for the online help of our web application. We use the RoboHelp 2015 command-line to generate the output as part of our continuous integration system with the final installs of the web application.

 

The online help is included within the web application under a separate directory and is ultimately served by IIS. Any configuration that we make for the web application necessarily affects the delivery of the help content (HTML, CSS, Javascript, and images) to the end user.

 

Due to new customer security requirements and changing guidelines for best practices in web application development, we have added a Content-Security-Policy HTTP header to the configuration for IIS. We are not allowed to use the 'unsafe-inline' or 'unsafe-eval' directives in this header. We have had to rework many of our web application pages to match these constraints, but the remaining piece is the online help.

 

We are able to generate secure hashes for the generated inline scripts to bypass the inline-script errors that the various browsers are throwing while viewing the help, so the 'unsafe-inline' is no longer a blocker. However, the generated Javascript in both inline-scripts and separate Javascript files contain numerous usages of the setTimeout() function that uses the hidden 'eval' version. As such, web browsers are generating errors and not executing the Javascript.

 

Has anyone else encountered similar issues with Content-Security-Policy headers in WebHelp?

 

Is there a way to modify the generated Javascript to not use the eval version of setTimeout?

    This topic has been closed for replies.
    Correct answer Jeff_Coatsworth

    So, you are using RH2019 to create WebHelp - is that the Classic version or New UI? What was the bit about using RH2015? Or was that just a typo? Not sure of the relevance of how you create the output to your JS issue. You might know that WebHelp has been phased out in RH2020+ in favour of HTML5 that just has the responsiveness turned off. Have you experimented with either the RH2019 New UI or RH2020 versions' HTML5 output to see if you have the same JS issues?
    If you have & are still stuck, then I think you need to have a chat with RH support - see https://helpx.adobe.com/contact/enterprise-support.other.html#robohelp for your support contact options.

    3 replies

    S
    Community Manager
    Stefan GentzCommunity Manager
    Community Manager
    May 12, 2021

    @Tom.Walker, can we jump on a call (and maybe a screen sharing session) with you guys? With this kind of challenge, it is probably more efficient if the Adobe pros who are deeper in such specialized security things talk directly with you guys. Looks to me like a little bit out of scope of what the community forum here can assist with.

    Drop us a line at tcssup@adobe.com and put me on CC (my last name at adobe dot com).

    T
    Tom.WalkerAuthor
    Participating Frequently
    May 13, 2021

    Stefan,

     

    Thank you for the help.

    Jeff_Coatsworth
    Community Expert
    Jeff_CoatsworthCommunity Expert
    Community Expert
    May 12, 2021

    Really? How would RH2015 be able to digest a RH2019 Classic project? I always thought it was a one-way street. If it IS possible, then you're really producing "old" HTML out of RH2015 - there could be a whole pile of security fixes that you're missing in that output (since it's not getting any patches anymore).

    I'm surprised that the newest RH2020 frameless HTML5 output would have the same issues - let us know what you find out from the RH support folks.

    T
    Tom.WalkerAuthor
    Participating Frequently
    May 12, 2021

    I was mistaken, it seems that we used RH2019 Classic to generate the HTML5 output. We're upgrading the project to RH2019 New UI and will see where it leads.

     

    I'll circle back with the results.

    Jeff_Coatsworth
    Community Expert
    Jeff_CoatsworthCommunity ExpertCorrect answer
    Community Expert
    May 12, 2021

    So, you are using RH2019 to create WebHelp - is that the Classic version or New UI? What was the bit about using RH2015? Or was that just a typo? Not sure of the relevance of how you create the output to your JS issue. You might know that WebHelp has been phased out in RH2020+ in favour of HTML5 that just has the responsiveness turned off. Have you experimented with either the RH2019 New UI or RH2020 versions' HTML5 output to see if you have the same JS issues?
    If you have & are still stuck, then I think you need to have a chat with RH support - see https://helpx.adobe.com/contact/enterprise-support.other.html#robohelp for your support contact options.

    T
    Tom.WalkerAuthor
    Participating Frequently
    May 12, 2021

    We are using RH2019 Classic to author the content. The bit about RH2015 is not a typo, unfortunately. The continuous integration server has RH2015 installed and we use the command-line as part of the build pipeline. When we update to RH2020 on the build server, we will update to the Responsive HTML5 output.

     

    We attempted the Responsive HTML5 output from RH2019 New UI, but it had the same Javascript issues. So we will need to check with RH support to determine further options.

     

    Thanks for your help!

     

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices