CSP Compatibility with bootstrap.min.js

[abhisheksharma113448]

Hi Bootstrap Team,

I am using bootstrap.min.js (version 3.4) in my AngularJS project. I have a Content-Security-Policy (CSP) defined as follows:
<add name="Content-Security-Policy" value="script-src 'self' http: https: 'unsafe-inline' 'unsafe-eval';"/>

To enhance security, I need to remove unsafe-eval from the policy. Therefore, I need to check if the library file is CSP compatible, specifically looking for the usage of setTimeout, setInterval, eval, and Function without causing errors in the console.

What I Have Tried :

In the bootstrap.min.js library file (version 3.4), I noticed:

• setTimeout is used 6 times.
• setInterval is used once.

I have debugged the code, and while the first two setTimeout functions work properly, the subsequent setTimeout calls are not being executed when I remove unsafe-eval.

Question

Is bootstrap.min.js (version 3.4) fully CSP compatible without the unsafe-eval ?

Additional Information:

Operating System: Windows
Browser: Chrome
Bootstrap Version: v3.4.1

[julien-deramond]

Hey @abhisheksharma113448
Just for information, since Bootstrap v3 is EOL and so there won't be anything actionable on our side, I've converted your issue into a Q/A discussion.