Showing results for 
Search instead for 
Did you mean: 

Unsafe-eval in CSP Header

Siemens Experimenter Siemens Experimenter
Siemens Experimenter

I am using a web framework which is not using any Javascript eval(), but using new Function().  The CSP header is still throwing the error 

"Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".


Is it possible (recommended) to use "Unsafe-eval" in CSP Header in this case ?  It resolves my problem. 



Re: Unsafe-eval in CSP Header

Apparently `eval()` and `new Function()`, though not exactly the same, are handled similarly by the CSP engine of browsers. This doesn't seem a MindSphere-specific issue.

So you either use `unsafe-eval` or look for workarounds in your framework, from what I've read you might be able to pre-compile things to avoid this.

Good reads: