Cancel
Showing results for 
Search instead for 
Did you mean: 

Unsafe-eval in CSP Header

Siemens Experimenter Siemens Experimenter
Siemens Experimenter

I am using a web framework which is not using any Javascript eval(), but using new Function().  The CSP header is still throwing the error 

"Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' static.eu1.mindsphere.io".

 

Is it possible (recommended) to use "Unsafe-eval" in CSP Header in this case ?  It resolves my problem. 

 

1 REPLY 1

Re: Unsafe-eval in CSP Header

Legend
Legend
Apparently `eval()` and `new Function()`, though not exactly the same, are handled similarly by the CSP engine of browsers. This doesn't seem a MindSphere-specific issue.

So you either use `unsafe-eval` or look for workarounds in your framework, from what I've read you might be able to pre-compile things to avoid this.

Good reads:
https://stackoverflow.com/questions/4599857/are-eval-and-new-function-the-same-thing
https://security.stackexchange.com/questions/88610/problem-in-underscore-js-with-new-function-when-c...