search

filestack / filestack-js

Official Javascript SDK for the Filestack API and content ingestion system.
https://www.filestack.com
MIT License
206 stars 77 forks source link

Triggers CSP violations if unsafe-eval is not used #390

Open sorin-davidoi opened 3 years ago

sorin-davidoi commented 3 years ago

Using the script-src directive without 'unsafe-eval' results in a violation:

Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src").

This is caused by the following line in http://static.filestackapi.com/filestack-js/3.17.0/filestack.min.js:

try{i=i||new Function("return this")()}catch(t)

While this doesn't seem to affect the functionality of the library, if one uses the report-uri directive it will result in useless HTTP requests being made.

Cherry commented 3 years ago

This is affecting us in production too. Is there any way to disable this unsafe-eval call?

kYann commented 2 years ago

Hello, same here !