[英]Angular: Refused to evaluate a string as JavaScript because 'unsafe-eval'
In my application a blob fetched by means of a API-call is passed on to a custom npm-package that will show the blob on the screen (it's an image).在我的应用程序中,通过 API 调用获取的 blob 被传递到自定义 npm 包,该包将在屏幕上显示 blob(它是图像)。 Locally it works.
在本地它有效。 Only not on the development server.
只是不在开发服务器上。
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' https://www.example.com 'unsafe-inline' https://www.anotherexample.com".
A plane application has be made that fetches the blob and uses the same custom npm-package.已经制作了一个平面应用程序来获取 blob 并使用相同的自定义 npm 包。 The problem seem to be with Angular or better said with my settings.
问题似乎与 Angular 或我的设置有关。 The settings locally are the same and its not clear what the problem is.
本地的设置是一样的,不清楚是什么问题。
The error is not originated in Angular, the problem is your Content-Security-Policy (CSP).该错误并非源自 Angular,问题在于您的 Content-Security-Policy (CSP)。 Your CSP is either defined in the
index.html
file as a meta
tag in the header
section, or set as a header on your server.您的 CSP 在
index.html
文件中定义为header
部分中的meta
标记,或者在您的服务器上设置为 header。
You could simply add 'unsafe-eval' to the CSP, but this is very risky in terms of security.您可以简单地将“unsafe-eval”添加到 CSP,但这在安全性方面是非常危险的。 To me, it seems like the library you are using here uses
eval
at some place, which is bad and should be avoided.对我来说,您在这里使用的库似乎在某个地方使用了
eval
,这很糟糕,应该避免。
With development server, do you mean it is actually deployed, or the local server that starts with ng serve
?使用开发服务器,您的意思是它实际上已部署,还是以
ng serve
开头的本地服务器?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.