Skip to content
This repository has been archived by the owner on Nov 5, 2019. It is now read-only.

CSP does not allow eval #39

Closed
cordoval opened this issue Jul 31, 2017 · 11 comments · Fixed by Narshe1412/React-Boilerplate3#11 or Narshe1412/weather-react#12 · May be fixed by Narshe1412/react-todo#16, Narshe1412/reduxtraining#19 or Narshe1412/reactBPFoundationSCSS#11
Closed

CSP does not allow eval #39

cordoval opened this issue Jul 31, 2017 · 11 comments · Fixed by Narshe1412/React-Boilerplate3#11 or Narshe1412/weather-react#12 · May be fixed by Narshe1412/react-todo#16, Narshe1412/reduxtraining#19 or Narshe1412/reactBPFoundationSCSS#11
Labels
flag: Has pull request severity: 4 (inconvenient) type: Bug

Comments

@cordoval
Copy link

Can we use another way other than calling eval?

This is not good for security reasons

https://github.com/webpack-contrib/script-loader/blob/master/addScript.js#L9

addScript.js:9 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".


    at eval (<anonymous>)
    at e.exports (addScript.js:9)
    at Object.659 (jquery.mask.js?872b:1)
    at __webpack_require__ (bootstrap 3d71110…:54)
    at Object.869 (vendors.js:32296)
    at __webpack_require__ (bootstrap 3d71110…:54)
    at e.20 (bootstrap 3d71110…:152)
    at bootstrap 3d71110…:152

source: https://scotthelme.co.uk/content-security-policy-an-introduction/
@alexander-akait
Copy link
Member

@cordoval your wan't eval on bundling step or in compiled code?

@cordoval
Copy link
Author

cordoval commented Aug 1, 2017

the trace i got in production after all the processing that webpack does, so if that is compiled there yes

@alexander-akait
Copy link
Member

@cordoval this loader use eval inside, your should search other solution for your case. Can your explain case why your use eval?

@cordoval
Copy link
Author

cordoval commented Aug 1, 2017

i don't use eval and eval is weak for security. This is very clear when you check what it CSP and how attackers can leverage eval() function used in script-loader to break security. My use case is just the plain usage of this script-loader. I am going to close it but this was a big warning.

@cordoval cordoval closed this as completed Aug 1, 2017
@yairinot
Copy link

I have the same issue.
I try to create an application using angular 2 and bootstrap.
Angular is using webpack for its build.
When script loader try to load the first javascript file I get this error:


Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".


    at eval (<anonymous>)
    at webpackJsonp.../../../../script-loader/addScript.js.module.exports (addScript.js:9)
    at Object.../../../../script-loader/index.js!../../../../jquery/dist/jquery.slim.min.js (jquery.slim.min.js?5773:1)
    at __webpack_require__ (bootstrap c6feb7269e0a6fee60b5:54)
    at Object.2 (scripts.bundle.js:65)
    at __webpack_require__ (bootstrap c6feb7269e0a6fee60b5:54)
    at webpackJsonpCallback (bootstrap c6feb7269e0a6fee60b5:25)
    at scripts.bundle.js:1

Is there any way around it ?

@cordoval
Copy link
Author

the work around is not using it

@yairinot
Copy link

I'm not sure I understand the work around.
According to security guidelines I cannot use CSP with 'unsafe-eval'
Does this mean I cannot use angular with additional scripts due to this script-loader issue ?

@emememw emememw mentioned this issue Aug 30, 2017
Merged
@cordoval
Copy link
Author

exactly, you need to use another thing

joshwiens pushed a commit that referenced this issue Sep 12, 2017
@emememw @joshwiens
fix: modify script evaluation for IE11 (#41)
879c141 
Closes #39 
Closes #41
joshwiens pushed a commit that referenced this issue Sep 12, 2017
@emememw @joshwiens
fix: modify script evaluation for IE11 (#41)
370ff3d 
Closes #39 
Closes #41
@literalplus literalplus mentioned this issue Oct 18, 2017
Closed
@hotrush
Copy link

hotrush commented Feb 2, 2018
edited

@cordoval can you propose what to use?

@cordoval
Copy link
Author

cordoval commented Feb 2, 2018

I am not sure @hotrush , i don't use this anymore, i cut it off long time ago

opennode-jenkins pushed a commit to waldur/waldur-homeport that referenced this issue Jun 3, 2019
@AmbientLighter
Drop script-loader because it uses eval but CSP doesn't allow eval [W…
ae81b72 
…AL-2469]

See also: webpack-contrib/script-loader#39
@PierBover
Copy link

I'm having this issue too.

I have a legacy minified .js we have to import. script-loader works fine in most cases, except when running in an iframe in an app in Chrome OS and we get the unsafe-eval error.

I've tried using the noParse option in Webpack but that breaks the legacy file for some reason.

Has anyone found workaround?

@snyk-bot snyk-bot mentioned this issue Dec 5, 2019
Merged
This was referenced Apr 22, 2020
Open
Open
Merged
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
flag: Has pull request severity: 4 (inconvenient) type: Bug
Projects
None yet
Milestone
No milestone
6 participants
@PierBover @cordoval @hotrush @alexander-akait @michael-ciniawsky @yairinot