Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script Content Security Policy directive:default-src self

Tags:

http-headers

javascript

In my application, I want Content Security Policy: all directives should be set to self, but when I am trying to do that it is showing the following error

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self';".

at Function (<anonymous>)
at Function._init (yui_combo.php?rollup/3.17.2/yui-moodlesimple-min.js:8:3195)
at yui_combo.php?rollup/3.17.2/yui-moodlesimple-min.js:9:4331
at yui_combo.php?rollup/3.17.2/yui-moodlesimple-min.js:9:4558

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-BfUVqxUMiFIZGvtAvlU3O1tTN9idUT5IuAIpMSM2F5g='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&display=swap' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

like image 254
Sunny Adhatrao Avatar asked Dec 08 '25 08:12

Sunny Adhatrao

1 Answers

unsafe-eval basically nullifies the protections you would gain from Content-Security-Policy.

The whole point of Content-Security-Policy is to protect your app from possible Javascript Injections and Cross-Site-Scripting (XSS) attacks.

You set

Content-Security-Policy: script-src 'self';

to only execute safe scripts that are served as files from your own origin - the same source the app is hosted.

Now, if you allow unsafe-eval, then that eval becomes a point of entry for the attacker, and once they manage to inject their javascript into your app, they have total control and all other benefits you'd get from CSP are voided.

So if you want to have CSP enabled (in a way that makes sense), having eval in your code makes it lose that sense.

Therefore, if you're serious about using CSP to protect your app, you should focus on eliminating your need for eval instead on allowing unsafe-eval within the CSP.

See this Google research paper on CSP for details:

CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy

like image 86
sEver Avatar answered Dec 09 '25 20:12

sEver

Sign in to Comment

Related questions

How do I pass an HTML element as an argument to a Javascript function?
screen.getByText is not a function

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!