拒绝将字符串评估为 JavaScript，因为“unsafe-eval”不是脚本内容安全策略指令的允许来源：default-src self

Question

In my application, I want Content Security Policy: all directives should be set to self, but when I am trying to do that it is showing the following error

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self';".

at Function (<anonymous>)
at Function._init (yui_combo.php?rollup/3.17.2/yui-moodlesimple-min.js:8:3195)
at yui_combo.php?rollup/3.17.2/yui-moodlesimple-min.js:9:4331
at yui_combo.php?rollup/3.17.2/yui-moodlesimple-min.js:9:4558

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-BfUVqxUMiFIZGvtAvlU3O1tTN9idUT5IuAIpMSM2F5g='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&display=swap' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

Answer 1

The content security policy must have this directive:

default-src 'self';
script-src 'self' 'unsafe-eval'; 
style-src 'self' fonts.googleapis.com;

and more.

Answer 2

If you are using helmet on your Node.JS server, you can configure the following:

server.use(helmet({
    contentSecurityPolicy: false
}));

Or you can configure the following to whitelist a specific domain:

server.use(
  helmet.contentSecurityPolicy({
    directives: {
      "script-src": ["'self'", "example.com"],
      "style-src": null,
    },
  })
);