Content-Security-Policy 'unsafe-eval' error message on generated Javascript

Report · May 12, 2021

We use RoboHelp 2019 to author WebHelp content for the online help of our web application. We use the RoboHelp 2015 command-line to generate the output as part of our continuous integration system with the final installs of the web application.

The online help is included within the web application under a separate directory and is ultimately served by IIS. Any configuration that we make for the web application necessarily affects the delivery of the help content (HTML, CSS, Javascript, and images) to the end user.

Due to new customer security requirements and changing guidelines for best practices in web application development, we have added a Content-Security-Policy HTTP header to the configuration for IIS. We are not allowed to use the 'unsafe-inline' or 'unsafe-eval' directives in this header. We have had to rework many of our web application pages to match these constraints, but the remaining piece is the online help.

We are able to generate secure hashes for the generated inline scripts to bypass the inline-script errors that the various browsers are throwing while viewing the help, so the 'unsafe-inline' is no longer a blocker. However, the generated Javascript in both inline-scripts and separate Javascript files contain numerous usages of the setTimeout() function that uses the hidden 'eval' version. As such, web browsers are generating errors and not executing the Javascript.

Has anyone else encountered similar issues with Content-Security-Policy headers in WebHelp?

Is there a way to modify the generated Javascript to not use the eval version of setTimeout?

Report · May 12, 2021

So, you are using RH2019 to create WebHelp - is that the Classic version or New UI? What was the bit about using RH2015? Or was that just a typo? Not sure of the relevance of how you create the output to your JS issue. You might know that WebHelp has been phased out in RH2020+ in favour of HTML5 that just has the responsiveness turned off. Have you experimented with either the RH2019 New UI or RH2020 versions' HTML5 output to see if you have the same JS issues?
If you have & are still stuck, then I think you need to have a chat with RH support - see https://helpx.adobe.com/contact/enterprise-support.other.html#robohelp for your support contact options.

Report · May 12, 2021

We are using RH2019 Classic to author the content. The bit about RH2015 is not a typo, unfortunately. The continuous integration server has RH2015 installed and we use the command-line as part of the build pipeline. When we update to RH2020 on the build server, we will update to the Responsive HTML5 output.

We attempted the Responsive HTML5 output from RH2019 New UI, but it had the same Javascript issues. So we will need to check with RH support to determine further options.

Thanks for your help!

Report · May 12, 2021

Really? How would RH2015 be able to digest a RH2019 Classic project? I always thought it was a one-way street. If it IS possible, then you're really producing "old" HTML out of RH2015 - there could be a whole pile of security fixes that you're missing in that output (since it's not getting any patches anymore).

I'm surprised that the newest RH2020 frameless HTML5 output would have the same issues - let us know what you find out from the RH support folks.

Report · May 12, 2021

I was mistaken, it seems that we used RH2019 Classic to generate the HTML5 output. We're upgrading the project to RH2019 New UI and will see where it leads.

I'll circle back with the results.

Report · May 12, 2021

We upgraded the project to RoboHelp 2019 New UI and re-generated the output. There are fewer inline scripts, but we still need to intercept them to generate secure hashes. Most of the setTimeout function calls have been updated to the non-eval version, but there are still a few more that we'll need to address.

There is a possibility of a phone call with RH support.

I will reply as we get further along with this issue.

Report · May 13, 2021

After a call with an RH support technician, we tried the RoboHelp 2019 Frameless output, which still has inline scripts (that we can work around), but we have yet to run into any eval statements.

Since we also have 2020 available, we will update to RoboHelp 2020 on our continuous integration server and using the Frameless output.

Thank you for your help.

Report · May 12, 2021

@Tom.Walker, can we jump on a call (and maybe a screen sharing session) with you guys? With this kind of challenge, it is probably more efficient if the Adobe pros who are deeper in such specialized security things talk directly with you guys. Looks to me like a little bit out of scope of what the community forum here can assist with.

Drop us a line at tcssup@adobe.com and put me on CC (my last name at adobe dot com).

Report · May 13, 2021

Stefan,

Thank you for the help.

Adobe Community

Content-Security-Policy 'unsafe-eval' error message on generated Javascript

1 Correct answer