Skip to content
This repository has been archived by the owner on Nov 5, 2019. It is now read-only.

CSP does not allow eval #39

Comments

@cordoval
Copy link

Can we use another way other than calling eval?

This is not good for security reasons

https://github.com/webpack-contrib/script-loader/blob/master/addScript.js#L9

addScript.js:9 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".


    at eval (<anonymous>)
    at e.exports (addScript.js:9)
    at Object.659 (jquery.mask.js?872b:1)
    at __webpack_require__ (bootstrap 3d71110…:54)
    at Object.869 (vendors.js:32296)
    at __webpack_require__ (bootstrap 3d71110…:54)
    at e.20 (bootstrap 3d71110…:152)
    at bootstrap 3d71110…:152

source: https://scotthelme.co.uk/content-security-policy-an-introduction/

@alexander-akait
Copy link
Member

@cordoval your wan't eval on bundling step or in compiled code?

@cordoval
Copy link
Author

cordoval commented Aug 1, 2017

the trace i got in production after all the processing that webpack does, so if that is compiled there yes

@alexander-akait
Copy link
Member

@cordoval this loader use eval inside, your should search other solution for your case. Can your explain case why your use eval?

@cordoval
Copy link
Author

cordoval commented Aug 1, 2017

i don't use eval and eval is weak for security. This is very clear when you check what it CSP and how attackers can leverage eval() function used in script-loader to break security. My use case is just the plain usage of this script-loader. I am going to close it but this was a big warning.

@cordoval cordoval closed this as completed Aug 1, 2017
@yairinot
Copy link

I have the same issue.
I try to create an application using angular 2 and bootstrap.
Angular is using webpack for its build.
When script loader try to load the first javascript file I get this error:


Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".


    at eval (<anonymous>)
    at webpackJsonp.../../../../script-loader/addScript.js.module.exports (addScript.js:9)
    at Object.../../../../script-loader/index.js!../../../../jquery/dist/jquery.slim.min.js (jquery.slim.min.js?5773:1)
    at __webpack_require__ (bootstrap c6feb7269e0a6fee60b5:54)
    at Object.2 (scripts.bundle.js:65)
    at __webpack_require__ (bootstrap c6feb7269e0a6fee60b5:54)
    at webpackJsonpCallback (bootstrap c6feb7269e0a6fee60b5:25)
    at scripts.bundle.js:1

Is there any way around it ?

@cordoval
Copy link
Author

the work around is not using it

@yairinot
Copy link

I'm not sure I understand the work around.
According to security guidelines I cannot use CSP with 'unsafe-eval'
Does this mean I cannot use angular with additional scripts due to this script-loader issue ?

@cordoval
Copy link
Author

exactly, you need to use another thing

@hotrush
Copy link

hotrush commented Feb 2, 2018

@cordoval can you propose what to use?

@cordoval
Copy link
Author

cordoval commented Feb 2, 2018

I am not sure @hotrush , i don't use this anymore, i cut it off long time ago

opennode-jenkins pushed a commit to waldur/waldur-homeport that referenced this issue Jun 3, 2019
@PierBover
Copy link

I'm having this issue too.

I have a legacy minified .js we have to import. script-loader works fine in most cases, except when running in an iframe in an app in Chrome OS and we get the unsafe-eval error.

I've tried using the noParse option in Webpack but that breaks the legacy file for some reason.

Has anyone found workaround?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.