CSP does not allow eval

[cordoval]

Can we use another way other than calling eval?

This is not good for security reasons

https://github.com/webpack-contrib/script-loader/blob/master/addScript.js#L9

addScript.js:9 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".


    at eval (<anonymous>)
    at e.exports (addScript.js:9)
    at Object.659 (jquery.mask.js?872b:1)
    at __webpack_require__ (bootstrap 3d71110…:54)
    at Object.869 (vendors.js:32296)
    at __webpack_require__ (bootstrap 3d71110…:54)
    at e.20 (bootstrap 3d71110…:152)
    at bootstrap 3d71110…:152

source: https://scotthelme.co.uk/content-security-policy-an-introduction/

[alexander-akait]

@cordoval your wan't eval on bundling step or in compiled code?

[cordoval]

the trace i got in production after all the processing that webpack does, so if that is compiled there yes

[alexander-akait]

@cordoval this loader use eval inside, your should search other solution for your case. Can your explain case why your use eval?

[cordoval]

i don't use eval and eval is weak for security. This is very clear when you check what it CSP and how attackers can leverage eval() function used in script-loader to break security. My use case is just the plain usage of this script-loader. I am going to close it but this was a big warning.

[yairinot]

I have the same issue.
I try to create an application using angular 2 and bootstrap.
Angular is using webpack for its build.
When script loader try to load the first javascript file I get this error:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".


    at eval (<anonymous>)
    at webpackJsonp.../../../../script-loader/addScript.js.module.exports (addScript.js:9)
    at Object.../../../../script-loader/index.js!../../../../jquery/dist/jquery.slim.min.js (jquery.slim.min.js?5773:1)
    at __webpack_require__ (bootstrap c6feb7269e0a6fee60b5:54)
    at Object.2 (scripts.bundle.js:65)
    at __webpack_require__ (bootstrap c6feb7269e0a6fee60b5:54)
    at webpackJsonpCallback (bootstrap c6feb7269e0a6fee60b5:25)
    at scripts.bundle.js:1

Is there any way around it ?

[cordoval]

the work around is not using it

[yairinot]

I'm not sure I understand the work around.
According to security guidelines I cannot use CSP with 'unsafe-eval'
Does this mean I cannot use angular with additional scripts due to this script-loader issue ?