Dear WeWeb team @Joyce ,
I hope this message finds you well.
I am writing to express my concerns regarding the security protocols implemented within WeWeb. I apologize if my previous communication was unclear, and I aim to provide further clarification on my inquiry.
The company I represent is currently engaged in the development of a web system for a multinational corporation, catering to a substantial user base on a daily basis. As part of our efforts to enhance this system, we have contemplated exploring no-code solutions, particularly for the frontend aspects.
However, a critical requirement has arisen pertaining to the content-security-policy script-src directive. Specifically, our system necessitates the exclusion of âunsafe-evalâ and âunsafe-inlineâ without nonce. Presently, our system relies on the ExtJS framework, wherein even the latest iteration (version 7.7) necessitates the allowance of these flags. Consequently, we are compelled to reconsider our frontend framework selection.
Our research has led us to discover that Vue.js could potentially fulfill our security prerequisites, provided we utilize the vue.runtime.js instead of the full vue.js version. Moreover, it appears that employing Vite over Webpack is optimal for achieving this objective.
Given that WeWeb leverages Vue.js and offers the capability to export code, we have contemplated whether exporting and hosting the code on our servers could facilitate compliance with our security standards, thereby alleviating concerns regarding WeWebâs servers.
Hence, I am reaching out to ascertain the feasibility of running a WeWeb application without necessitating âunsafe-evalâ and âunsafe-inlineâ directives, or any other unsafe directives, within the CSP headers.
Your prompt response regarding this matter would be greatly appreciated, as it will significantly influence our decision-making process moving forward.
Thank you for your attention to this matter.
Warm regards.