Replace AlpineJS with a CSP-compatible library
The following discussion from !5 (merged) should be addressed:
-
@costaraphael started a discussion: (+3 comments) I'm not sure enabling unsafe eval is the way to go here. I followed the thread you linked, and did some further research, and it seems like Alpine isn't and won't be compatible with secure CSP headers, which could make the application vulnerable to an attack.
I think it might be a good idea to shop for another JS library. We are only going to use it for really simple stuff, so the simpler the better, but it must require us to write JS code in JS files, instead of evaluating code from the HTML.
Some alternatives I could find, that are lightweight and that should play nice with SSR:
- Stimulus - https://stimulus.hotwire.dev/
- LitElement - https://lit-element.polymer-project.org/
- Preact - https://preactjs.com/
What do you think?
Edited by Raphael Costa