-
Notifications
You must be signed in to change notification settings - Fork 44
CSP does not allow eval #39
CSP does not allow eval #39
Comments
@cordoval your wan't |
the trace i got in production after all the processing that webpack does, so if that is compiled there yes |
@cordoval this loader use |
i don't use eval and eval is weak for security. This is very clear when you check what it CSP and how attackers can leverage eval() function used in script-loader to break security. My use case is just the plain usage of this script-loader. I am going to close it but this was a big warning. |
I have the same issue.
Is there any way around it ? |
the work around is not using it |
I'm not sure I understand the work around. |
exactly, you need to use another thing |
@cordoval can you propose what to use? |
I am not sure @hotrush , i don't use this anymore, i cut it off long time ago |
I'm having this issue too. I have a legacy minified I've tried using the Has anyone found workaround? |
Can we use another way other than calling eval?
This is not good for security reasons
https://github.com/webpack-contrib/script-loader/blob/master/addScript.js#L9
source: https://scotthelme.co.uk/content-security-policy-an-introduction/
The text was updated successfully, but these errors were encountered: