Older versions of composer (including 4.0.0 SP2) rely on momentjs 1.7.0 which includes javascript code in the makeFormatFunction that is not allowed if a page is delivered with the following header:

Content-Security-Policy: script-src 'self'; object-src 'none'

which TM 5.1.3 sends.

I've looked thru all of the Composer version release notes but cannot see which version upgraded to momentjs 1.7.2 which does not have this problem.

Can someone please tell me which version of composer made the upgrade to momentjs 1.7.2


    CommentAdd your comment...

    1 answer


      Hi Matt,

      Composer was updated to use MomentJS 1.7.2 in Composer 4.3 Service Pack 2 due to the issue you mentioned with 1.7.0 not working with CSP. The two easiest solutions are to disable CSP or update your forms to use at least 4.3 SP2. The midway solution is to have two portals and have one with CSP and newer forms and another without CSP for your older forms.


      1. Matthew White

        Thanks for the update. For now I've added 'unsafe-eval' to script-src as a workaround.

      CommentAdd your comment...