hello, I have been evaluating jspreadsheet with a demo account, has been working very well on my local machine until it's deployed to stage environment, on stage when running:
it does not load any spreadsheet at all instead showing the following error in the console:
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
at Function (<anonymous>)
at Object.parse (lemonade.js:741:44)
at Object.parse (lemonade.js:812:23)
at Object.parse (lemonade.js:812:23)
at Object.parse (lemonade.js:812:23)
at Object.parse (lemonade.js:812:23)
at L.element (lemonade.js:1038:15)
at L.render (lemonade.js:907:27)
at Object.parse (lemonade.js:832:15)
at Object.parse (lemonade.js:812:23)
The only workaround I find is by changing our CSP header from script-src 'self' to script-src 'self' 'unsafe-eval' but it opens risks of XSS and defeats the purpose of CSP...without 'unsafe-eval' I can't load any spreadsheet at all at the moment...
any suggestion to fix this issue without adding 'unsafe-eval' to our CSP header? thank you
P.S. issue was found with jspreadsheet version 11 in Angular implementation, package versions are:
hello, I have been evaluating jspreadsheet with a demo account, has been working very well on my local machine until it's deployed to stage environment, on stage when running:
it does not load any spreadsheet at all instead showing the following error in the console:
looking into the line of exception it reads:
and in fact even running just
new Function('')
would throw the same error, according to this documentation https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_eval_expressionsFunction()
constructor is not allowed with Content-Security-Policy headerscript-src 'self'
The only workaround I find is by changing our CSP header from
script-src 'self'
toscript-src 'self' 'unsafe-eval'
but it opens risks of XSS and defeats the purpose of CSP...without 'unsafe-eval' I can't load any spreadsheet at all at the moment...any suggestion to fix this issue without adding
'unsafe-eval'
to our CSP header? thank youP.S. issue was found with jspreadsheet version 11 in Angular implementation, package versions are: