The compiled wink/public/app.js is using new Function() which seems to be prohibited by the CSP script-src _(see MDN & Google)_
Here is where it happens (line 14567)
function Aa(t, e) {
try {
return new Function(t)
} catch (n) {
return e.push({
err: n,
code: t
}),
j
}
}
So if you have CSP set to something like this:
Content-Security-Policy: script-src 'self' cdn.jsdelivr.net
Then wink won't load and you get a fatal error into the browser web console.
The only way to make it work would be to either not have a Content-Security Policy or to explicitly allow unsafe-eval.
Is there a way to prevent the use of new Function inside the compiled app.js ?
themsaid
commented
1 year ago
Hello,
The compiled
wink/public/app.jsis usingnew Function()which seems to be prohibited by the CSPscript-src_(see MDN & Google)_Here is where it happens (line 14567)
So if you have CSP set to something like this:
Content-Security-Policy: script-src 'self' cdn.jsdelivr.netThen wink won't load and you get a fatal error into the browser web console.The only way to make it work would be to either not have a Content-Security Policy or to explicitly allow
unsafe-eval.Is there a way to prevent the use of
new Functioninside the compiledapp.js?