AppStudio Forces CSP to have unsafe-inline

This issue is not a simple fix. I understand that AppStudio was designed a long time ago, before we all knew about security, pre CSP and CORS. So it’s not surprising that AppStudio is in this situation.

Unsafe-inline CSP is not recommended, as it is a security risk. However, the browser community understands that not everyone has caught up to the latest security features. Unsafe-inline is when your index.html contains any SCRIPT tags.

To avoid Unsafe-inline and to secure your website/app, it is recommended that all scripts be anywhere but in the index.html file. This allows you to completely specify specific CSP for each resource. And CORS for these resources, when necessary.

Obviously this is a big change for AppStudio. But I think it is time to start thinking about a version 9 or 10 or 11 that complies to this recommendation. I’m sure sometime in the future the app stores and browsers will not be so kind about unsafe-inline (or unsafe-eval).

Good idea - issue opened.