stackoom
  简体   繁体   中英

Angular 5 & CSP - Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script

 原文  2018-05-25 13:41:55       angular/ content-security-policy

Question

I'm currently experimenting with introducing a Content Security Policy to my application that is built using Angular 5. I'm currently implementing the CSP using a meta tag in my index.html although I will change this in the future. I have inserted the following into my app

<meta http-equiv="Content-Security-Policy" content="script-src 'self'; img-src 'self' data:;media-src 'self'; object-src 'self' data: 'unsafe-eval'; style-src 'self' https://fonts.googleapis.com 'unsafe-inline';">

This pretty much covers my needs however when I deploy to a testing server the Browser Console gives me the following message:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

Okay, so I need to add the 'unsafe-eval' to the script-src directive. That's not really a problem but it does seem to make me worried remembering that eval() is evil!

For Angular 5 applications that wish to use a CSP is it necessary to have to include 'unsafe-eval' to the script-src directive? Is there a way I can retain the security feature preventing the use of eval() ? Is it necessary to include this as Angular uses eval() . I am assuming that the content of the Content-Security-Policy meta tag is correct although I am sure it may not be the case.

I read this Issue on the angular github https://github.com/angular/angular/issues/19142 but I am unsure if this issue is relevant to me as I am not using SystemJS but webpack in my application?

Many thanks in advice for help, answers and suggestions.

1 answers

solution1
 3  2019-12-09 10:36:11

I faced the same issue, and I noticed that running in --prod mode doesn't give errors (I'm using Angular 8).

Depending on your setup, you could use client response headers to implement your security policy, as this will not result in this error.

If your issues are only related to running in debug mode (using meta tags), this is not a solution for you.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Angular: Refused to evaluate a string as JavaScript because 'unsafe-eval' ExcelJS: "Uncaught EvalError: 'unsafe-eval' is not an allowed source of script in the following Content" in Angular App App not running up on removing unsafe-eval for restricted CSP Dynamically compiled lazy loaded dynamic routes in Angular causing 'unsafe-eval' error How to get unsafe-eval compliant Fabric js and lodash js Why does CSP script-src unsafe-inline induce styling issues on my Angular webapp? block eval() in CSP header Angular 8 project Angular - Content Security Policy(CSP) support for inline style, eval etc Rewrite requests from loopback to angular2 (Refused to execute script because its MIME type ('text/html') is not executable) Angular 6 : Refused to execute script from 'URL' because its MIME type( ) is not executable, & strict MIME type checking is enabled
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM